Disclosing technology fingerprints allows an attacker to gather information about the technologies used to develop the web application and to perform relevant security assessments more quickly (like the identification of known vulnerable components).

Ask Yourself Whether

There is a risk if you answered yes to any of these questions.

Recommended Secure Coding Practices

It's recommended to not disclose technologies used on a website, with x-powered-by HTTP header for example.

In addition, it's better to completely disable this HTTP header rather than setting it a random value.

Sensitive Code Example

public ResponseEntity<String> testResponseEntity() {
  HttpHeaders responseHeaders = new HttpHeaders();
  responseHeaders.set("x-powered-by", "myproduct"); // Sensitive

  return new ResponseEntity<String>("foo", responseHeaders, HttpStatus.CREATED);
}

Compliant Solution

Don't use x-powered-by or Server HTTP header or any other means disclosing fingerprints of the application.

See