Security Hardening: Removing Infrastructure Fingerprinting Headers
Security Hardening: Removing Infrastructure Fingerprinting Headers
Release: v1.0.467 · Control: SCR-24 · Category: Competitive Exposure
Overview
HTTP response headers can inadvertently reveal the technology stack powering an application. This class of information disclosure — known as infrastructure fingerprinting — makes it easier for automated scanners and adversaries to identify frameworks, target known vulnerabilities, and profile a platform's supply chain without any authentication.
This release addresses one such exposure in the MTD compliance platform.
What Changed
x-powered-by: Next.js Header Suppressed
By default, Next.js injects an x-powered-by: Next.js header into every HTTP response. Although next.config.ts already configured a number of security-related response headers, it did not explicitly opt out of this default behaviour.
Before (implicit default):
HTTP/2 200
x-powered-by: Next.js
...
After (v1.0.467):
HTTP/2 200
# x-powered-by header absent
...
The fix is a single configuration addition in next.config.ts:
// next.config.ts
const nextConfig = {
poweredByHeader: false,
// ...existing config
};
Setting poweredByHeader: false instructs Next.js to omit the x-powered-by header from all responses at the framework level, meaning no additional server or middleware configuration is required.
Scope and Limitations
| Header | Status | Notes |
|---|---|---|
x-powered-by: Next.js | ✅ Removed | Suppressed via poweredByHeader: false |
x-vercel-deployment-url | ⚠️ Retained | Vercel platform headers are considered acceptable per consistency guidelines — Vercel deployment is public by design |
Why This Matters
- Reduces passive reconnaissance surface: Automated tools routinely harvest
x-powered-byheaders to build target lists for framework-specific exploits. - Defence in depth: Even when no active vulnerability exists in the disclosed framework version, suppressing this header is a low-cost, zero-risk hardening measure recommended by OWASP and standard security benchmarks.
- Compliance posture: For a platform handling sensitive HMRC credentials and taxpayer financial data, minimising information leakage is consistent with the platform's encrypted credential storage and audit trail commitments.