"X-Powered-By: Express" still present in /theme responses

I am trying to remove the "x-powered-by" header from all Node-RED API responses because of a pentest finding.

As I see this should have already been done:

Ensure httpServerOptions gets applied to ALL the express apps · node-red/node-red@a9b252b (github.com)

But it seems, that for theme path the header is still set.
https://localhost:1880/theme
https://localhost:1880/theme/login/node-red-256-P.png

Response-Header:
X-Powered-By: Express

Node v16.20.0
Node-RED v3.0.2

Can you raise an issue on GitHub so it can be looked at?

# X-Powered-By: Express

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.