Disclosing technology fingerprints allows an attacker to gather information about the technologies used to develop the web application and to perform relevant security assessments more quickly (like the identification of known vulnerable components).

It's recommended to not disclose technologies used on a website, with X-POWERED-BY HTTP header. In addition, it's better to completely disable this HTTP header rather than setting it a random value.

Bad Practice

let express = require('express');
let app = express(); // Sensitive

app.get('/', function (req, res) {
  res.send('hello')
});

Recommended

let express = require('express');

// Approach 1: Using express
let app1 = express();
app1.disable("x-powered-by");

// Approach 2: Using helmetjs and express
let helmet = require("helmet");
let app2 = express();
app2.use(helmet.hidePoweredBy());

References

• OWASP A05:2021 - Security Misconfiguration
• CWE-200 - Information Exposure