How do I fix info disclosure x powered by on Shopify Plus?

Same as Shopify above. Shopify Plus merchants with custom Hydrogen storefronts on Oxygen should remove the header in their server middleware as described. If using a custom external front-end (e.g., Next.js on Vercel), apply the fix at the Next.js/Vercel layer — add `{ key: 'X-Powered-By', value: '' }` removal in next.config.js headers config, or use Vercel's Headers settings in the project dashboard under Settings → Headers.

How to fix info disclosure x powered by on Shopify Plus

Remove or mask the X-Powered-By HTTP response header to stop advertising your server technology stack to attackers.

Steps for Shopify Plus

Same as Shopify above. Shopify Plus merchants with custom Hydrogen storefronts on Oxygen should remove the header in their server middleware as described.
If using a custom external front-end (e.g., Next.js on Vercel), apply the fix at the Next.js/Vercel layer — add `{ key: 'X-Powered-By', value: '' }` removal in next.config.js headers config, or use Vercel's Headers settings in the project dashboard under Settings → Headers.

Official Shopify Plus documentation ↗

# Nginx — strip X-Powered-By in server block
more_clear_headers 'X-Powered-By';

# Apache .htaccess — unset header
Header unset X-Powered-By

# PHP — suppress PHP version header
expose_php = Off          # php.ini
header_remove('X-Powered-By');  # PHP code

# Next.js — next.config.js
module.exports = {
  poweredByHeader: false,
};

What is info disclosure x powered by?

Every time someone visits your store, your web server sends back a set of "headers" — invisible metadata that browsers and tools can read. One of these, X-Powered-By, often announces exactly what software is running your site (e.g., "WP Engine", "PHP/8.1", "Express"). This header serves no useful purpose for your customers but acts like a neon sign telling attackers which known vulnerabilities to target. Removing or masking it is a simple hardening step that reduces your visible attack surface.

Attackers routinely scan millions of sites for this header and then cross-reference the disclosed technology with published CVE vulnerability databases — meaning an exposed X-Powered-By header can make your store a faster, easier target for automated exploits. While removing it doesn't fix underlying vulnerabilities, it raises the effort required to fingerprint your stack and is a baseline expectation in security audits and PCI-DSS compliance reviews. Failing this check can flag your store in penetration tests, risk assessments, and payment-processor security questionnaires, potentially affecting your ability to process cards. It is specifically called out under OWASP A05:2021 – Security Misconfiguration as an information-disclosure risk.

See the complete Info disclosure x powered by guide for every platform and the full background.

Not sure if your Shopify Plus store has this?

Run a free SEOLZ audit — we’ll find info disclosure x powered by and every other issue across your whole site.

Scan my site free

How to fix info disclosure x powered by on Shopify Plus

Steps for Shopify Plus

What is info disclosure x powered by?

Not sure if your Shopify Plus store has this?

Fix info disclosure x powered by on another platform