Move custom X-Powered-By wiki page here

helmetjs · Jan 10, 2025 · 8b5eba6 · 8b5eba6
1 parent 5f7ca81
commit 8b5eba6
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/content/faq/_index.md b/content/faq/_index.md
@@ -11,6 +11,7 @@ title: "Frequently asked questions (FAQ)"
 - [How do I set a Content Security Policy nonce?]({{< ref "faq/csp-nonce-example" >}})
 - [How do I set both `Content-Security-Policy` and `Content-Security-Policy-Report-Only` headers?](https://github.com/helmetjs/helmet/issues/351#issuecomment-1015498560)
 - [How should I use Helmet with non-document responses?]({{< ref "faq/non-documents" >}})
+- [How do I set a custom `X-Powered-By` header?]({{< ref "faq/custom-x-powered-by" >}})
 - [How do I disable blocking with the `X-XSS-Protection` header?]({{< ref "faq/x-xss-protection-disable-blocking" >}})
 - [How do I enable the `report` directive with the `X-XSS-Protection` header?]({{< ref "faq/x-xss-protection-report-directive" >}})
 - [Who made Helmet?]({{< ref "faq/contributors" >}})
diff --git a/content/faq/custom-x-powered-by.md b/content/faq/custom-x-powered-by.md
@@ -0,0 +1,15 @@
+---
+title: How do I set a custom X-Powered-By header?
+---
+
+In Express, the `X-Powered-By` header is set to `Express` by default. Removing it has limited security benefits, as does setting it to another value. The latter was removed in a breaking Helmet change.
+
+If you want to replicate this behavior for some reason, you can do it with a few lines of Express:
+
+```js
+// NOTE: This offers limited security benefits.
+app.use((req, res, next) => {
+  res.setHeader("X-Powered-By", "Foo Bar");
+  next();
+});
+```