Express: Unable to disable 'x-powered-by' header

I'm not sure. The tests that test disabling are passing. Is there a way you can send me a full app I can run that reproduces this?

Thanks for the quick reply! From what I can see, express is never explicitly setting the header. Logging res.get('X-Powered-By') in a route handler is undefined.

I will try to make an app to repro this. It will be later in the day or this evening before I can get to it though.

Perhaps doing a grep for X-Powered-By in your code and in your node_modules could help find different places it could be coming from?

Hi! I haven't heard anything back. Are you still having an issue or did you find the culprit?

I didn't ever track down the issue. We ended up setting a custom header instead. I'll spend some more time today to look into this.

Ok, gotcha. Please keep me updated, especially if this is an Express bug (and you can either provide a way to reproduce OR even go and send us a PR to get in a contribution!).

Ok. I think I tracked it down. We were using webpack-dev-server to proxy to an express api. Since it uses express the header was being set upstream on the response before our app handled the request.

We just stopped using webpack-dev-server as a proxy and the issue doesn't exist anymore! Thanks for you patience with this.

I accidentally wrote Router = require('express') instead of Router = require('express').Router. Because the API is identical, it's very hard to spot.

Hope this saves time someone like me :laughing:

I accidentally wrote Router = require('express') instead of Router = require('express').Router. Because the API is identical, it's very hard to spot.

Thanks, I just struggled with this for a while.

As @suprMax pointed out, you have to use Router if you want to apply the application config also to nested routers that are included like this: app.use('/myrouter', myRouter).