From 25d26bbc23f29d1e1cd809a39c63da4bae022ddc Mon Sep 17 00:00:00 2001
From: Diogenes Fernandes <diofeher@gmail.com>
Date: Mon, 6 Apr 2026 17:17:42 -0300
Subject: [PATCH] Disable x-powered-by header

Express sends an `X-Powered-By: Express` response header by default,
which exposes server implementation details. Disabling it is a common
security best practice recommended by Express itself and tools like
helmet.
---
 server.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server.js b/server.js
index 7040cd6..cf28293 100755
--- a/server.js
+++ b/server.js
@@ -204,6 +204,7 @@ const router = new express.Router();
 
 // needed for secure cookies
 app.enable('trust proxy');
+app.disable('x-powered-by');
 
 const webdavServer = new webdav.v2.WebDAVServer({
     requireAuthentification: true,