Failed to disable ‘x-powered-by’ header in firebase hosting and cloud functions

I am having some problem in disabling the ‘x-powered-by’ header. The following code should be able to disable the header, but I still see the header in the response.

  • Express version: 4.16.4

import * as functions from 'firebase-functions';

import * as express from 'express';
import * as rateLimit from 'express-rate-limit';

const xssFilter = require('x-xss-protection');

import * as sendgrid from '@sendgrid/mail';

const APP = express();
const API_CONTACT_FORM_LIMITER = new rateLimit({ windowMs: 60 * 1000, max: 50});

APP.disable('x-powered-by'); // <== This should disable the header


sendgrid.setApiKey(functions.config().sendgrid.key);"/api/test", async (request, response) => {

export const api = functions.https.onRequest(APP);

But I got the following when sent a POST request:

> firebase serve
> curl -i -X POST http://localhost:5000/api/test

HTTP/1.1 200 OK
x-powered-by: Express // <== This should not be here
cache-control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0
x-xss-protection: 1; mode=block
x-ratelimit-limit: 50
x-ratelimit-remaining: 49
date: Sat, 06 Apr 2019 08:05:01 GMT
x-ratelimit-reset: 1554538793
content-type: text/html; charset=utf-8
content-length: 2
etag: W/"1-VP0XESCfscB4EJI3QTLGbnniJBs"
connection: close
vary: Accept-Encoding, Authorization, Cookie


Was there any problem in my code? And how could I solve this?
I have read issue#2790, but it does not solve my problem.

Thanks a lot.

Author: Fantashit

1 thought on “Failed to disable ‘x-powered-by’ header in firebase hosting and cloud functions

Comments are closed.