Remove HTTP headers

Removes configured HTTP response headers from Drupal to enhance security by hiding server information.

remove_http_headers
15,438 sites
42
drupal.org
gui api utility
security HTTP headers privacy hardening response headers server fingerprinting
Drupal 9 Drupal 10 Drupal 11

Install

Drupal 11, 10 v2.1.2
composer require 'drupal/remove_http_headers:^2.1'
Drupal 9 v2.0.1
composer require 'drupal/remove_http_headers:^2.0'

Overview

The Remove HTTP headers module provides a simple yet effective way to remove specified HTTP headers from all Drupal responses. This is a security best practice as it helps obscure information about the underlying technology stack, making it harder for attackers to identify potential vulnerabilities.

The module uses an HTTP middleware that runs after Drupal's page caching middleware, ensuring headers are removed from both cached and non-cached responses. When the X-Generator header is configured for removal, the module also automatically removes the corresponding <meta name="Generator"> tag from the HTML output.

By default, the module is configured to remove three common Drupal-identifying headers: X-Generator, X-Drupal-Dynamic-Cache, and X-Drupal-Cache. Administrators can customize which headers to remove through the settings page or directly via configuration files.

Features

  • Removes any configured HTTP headers from all Drupal HTTP responses
  • Automatically removes the Generator meta tag from HTML when X-Generator header removal is configured
  • Uses HTTP middleware with high priority (1000) to ensure headers are removed after all other middleware
  • Provides an admin UI for configuring which headers to remove
  • Supports configuration via YAML files for deployment workflows
  • Implements caching for header configuration to optimize performance
  • Validates header format to ensure no whitespace in header names
  • Automatically invalidates cache when configuration changes

Use Cases

Security Hardening for Production Sites

Remove all Drupal-identifying headers (X-Generator, X-Drupal-Cache, X-Drupal-Dynamic-Cache, X-Drupal-Cache-Tags, X-Drupal-Cache-Contexts) to prevent attackers from identifying the site as running Drupal and its version. This makes automated vulnerability scanning less effective.

Compliance with Security Policies

Many organizations have security policies requiring removal of server identification headers. Configure the module to remove X-Powered-By, Server, and other headers that reveal technology stack information.

Hiding Caching Strategy

Remove X-Drupal-Cache and X-Drupal-Dynamic-Cache headers to hide information about the site's caching strategy from potential attackers who might try to exploit cache-related vulnerabilities.

Privacy Enhancement

Remove headers that could be used for fingerprinting or tracking to enhance user privacy and comply with privacy regulations.

Tips

  • The module runs as HTTP middleware with high priority (1000), ensuring it processes responses after Drupal's page cache middleware adds its headers
  • For maximum security, consider removing: X-Generator, X-Drupal-Cache, X-Drupal-Dynamic-Cache, X-Drupal-Cache-Tags, X-Drupal-Cache-Contexts
  • Configuration can be exported and deployed across environments using Drupal's configuration management system
  • The module validates that header names contain no whitespace to prevent configuration errors
  • Headers are removed on main requests only, not on subrequests, for performance optimization

Technical Details

Admin Pages 1
Remove HTTP headers settings /admin/config/system/remove-http-headers

Configure which HTTP response headers should be removed from all Drupal responses. This helps enhance security by hiding server information that could be used by attackers to identify vulnerabilities.

Permissions 1
Administer the Remove HTTP headers settings

Allows users to access and modify the Remove HTTP headers configuration. This permission is restricted and should only be granted to trusted administrators.

Hooks 1
hook_page_attachments_alter

Used to remove the Generator meta tag from HTML head when X-Generator header is configured for removal

Troubleshooting 4
Headers are still visible after configuration

Clear all Drupal caches after changing settings. The module caches the header list for performance. Also verify the configuration was saved correctly at /admin/config/system/remove-http-headers.

Cannot access the settings page

Ensure you have the 'Administer the Remove HTTP headers settings' permission. This is a restricted permission that must be explicitly granted.

Generator meta tag still appears in HTML

Make sure 'X-Generator' is included in the list of headers to remove. The meta tag removal is triggered specifically by the X-Generator header being in the removal list.

Headers from reverse proxy still visible

This module only removes headers added by Drupal. Headers added by web servers (Apache, Nginx) or reverse proxies must be configured at those levels.

Security Notes 4
  • This module is covered by Drupal's Security Advisory policy
  • Removing identifying headers is a security best practice but should be part of a comprehensive security strategy
  • The 'remove_http_headers settings access' permission is marked as restricted and should only be granted to trusted administrators
  • While header removal helps obscure server information, determined attackers may still identify Drupal through other means