Response header hygiene

Severity: Recommended

Check automatically:

1. Fetch headers and audit for leaks:

# Get all response headers
curl -sI https://example.com

# Check multiple endpoints
curl -sI https://example.com/api/health
curl -sI https://example.com/static/app.js

2. Flag tech stack leaks:

# Look for leaky headers
curl -sI https://example.com | grep -iE "x-powered-by|x-aspnet|x-drupal|x-generator|x-php|x-framework"

# Check Server header for version info
curl -sI https://example.com | grep -i "^server:"
# Bad: "Server: nginx/1.18.0"
# Good: "Server: cloudflare" or absent

3. Headers to flag:

   • X-Powered-By (any value - Express, PHP, ASP.NET)
   • Server with version number (nginx/1.18.0, Apache/2.4.41)
   • X-AspNet-Version, X-AspNetMvc-Version
   • X-Drupal-Cache, X-Generator
   • X-Debug-* headers in production
   • Any internal/debug headers leaking to public

4. Check app config for header hardening:

# Node.js - look for helmet or manual removal
grep -riE "helmet|removeHeader|x-powered-by" . --include="*.js" --include="*.ts" 2>/dev/null | head -10

# Check nginx/apache config
grep -riE "server_tokens|ServerTokens|Header unset" . --include="*.conf" --include="nginx*" 2>/dev/null

Ask user:

• Are any headers intentionally exposed for debugging/tracing? (e.g., X-Request-Id)
• Is there a web server config (nginx/apache) that should be stripping headers?

Cross-reference with:

• SEC-005 (HSTS) - security headers should be present while debug headers removed

Pass criteria:

• No X-Powered-By header
• Server header absent, generic, or version-less
• No framework-specific headers exposed
• Only necessary headers present (CORS, cache-control, security headers)

Fail criteria:

• Tech stack exposed via headers (X-Powered-By: Express)
• Server version exposed (nginx/1.18.0)
• Debug/internal headers leaking in production

Evidence to capture:

• Full header dump from production
• Any leaky headers found
• Header hardening configuration location

---