What's the use of X-Powered-By, Server and other similar HTTP headers?

Question

What's the use of Server, X-Powered-By and other similar headers? Looks like the consensus is they should be removed so that automatic vulnerability scanners doen't immediately know which version of which software they're dealing with and so automatic vulnerability discovery gets harder.

Are there scenarios where it is indeed useful to let all the world know that the site is running on IIS 7 and is X-Powered-By ASP.NET version 4?

I suspect they are added as a form of advertisement and to enable web server stats like you get from Netcraft. http://news.netcraft.com/archives/2012/01/03/january-2012-web-server-survey.html — Zoredache, Jun 04 '12 at 15:28

score 20 · Accepted Answer · answered Jun 04 '12 at 13:23

It might be useful to developers or Power User clients; but is certainly more commonly useful to hackers and their like. I would leave them on while developing a site, and perhaps upon initial release; but not in the long run. Clients care about content, not headers.

What's the use of X-Powered-By, Server and other similar HTTP headers?

1 Answers1