Security Hardening: Suppressing the x-powered-by Header
Security Hardening: Suppressing the x-powered-by Header
Release: v1.0.468 · Ref: SCR-24
Overview
As of v1.0.468, the Making Tax Digital platform no longer emits the x-powered-by: Next.js HTTP response header on any response. This is a low-effort, zero-risk hardening measure that removes a passive information-disclosure vector.
Background
By default, Next.js automatically appends the following header to every HTTP response:
x-powered-by: Next.js
While this header has no functional purpose, it advertises the underlying framework to anyone who inspects HTTP traffic — including competitors, automated vulnerability scanners, and web crawlers. Knowing the framework and its version can help an attacker narrow down applicable CVEs or craft targeted probes.
What Changed
A single configuration option was added to next.config.ts:
const nextConfig: NextConfig = {
// Suppress the x-powered-by: Next.js response header to prevent trivial
// framework fingerprinting by competitors or automated scanners (SCR-24).
poweredByHeader: false,
// ... rest of config
};
This instructs Next.js to omit the header from all server responses — pages, API routes, and static assets alike.
Impact
| Area | Before | After |
|---|---|---|
x-powered-by header present | ✅ Yes | ❌ No |
| Functional behaviour | Unchanged | Unchanged |
| End-user experience | Unchanged | Unchanged |
| API compatibility | Unchanged | Unchanged |
Security Benefit
- Removes a passive fingerprinting signal with no legitimate use for external parties.
- Reduces the information available to automated scanners during reconnaissance.
- Aligns with general security best practice of minimising unnecessary header disclosure (see OWASP: Remove Fingerprinting Headers).
No Action Required
This change is entirely server-side and transparent to all users, integrations, and API consumers. No configuration, code, or workflow changes are needed.