Skip to Content
middlewarebuiltinPowered By

Last Updated: 3/9/2026

Powered-By Middleware

The Powered-By middleware adds an X-Powered-By header to the response, indicating which server technology is powering the application.

Import

import { Hono } from 'hono'
import { poweredBy } from 'hono/powered-by'
 
const app = new Hono()
 
app.use(poweredBy())

Usage

Basic Usage

By default, the middleware adds X-Powered-By: Hono to all responses:

import { poweredBy } from 'hono/powered-by'
 
app.use(poweredBy())
 
app.get('/', (c) => c.text('Hello Hono!'))
// Response will include: X-Powered-By: Hono

Custom Server Name

You can customize the server name displayed in the header:

app.use(
  poweredBy({
    serverName: 'My Awesome API',
  })
)
 
app.get('/', (c) => c.text('Hello!'))
// Response will include: X-Powered-By: My Awesome API

Apply to Specific Routes

You can apply the middleware to specific routes or route groups:

// Apply to all /api routes
app.use('/api/*', poweredBy({ serverName: 'My API v2' }))
 
// Apply to a single route
app.get('/about', poweredBy(), (c) => c.text('About page'))

Options

serverName

  • Type: string
  • Default: "Hono"
  • Description: The value to use for the X-Powered-By header.
poweredBy({
  serverName: 'MyApp/1.0',
})

Interaction with Secure Headers Middleware

The Powered-By middleware can interact with the Secure Headers middleware. The order in which you apply these middleware matters:

Powered-By Added, Then Removed

If you apply Powered-By middleware first, then Secure Headers, the X-Powered-By header will be removed by default (as Secure Headers removes this header for security reasons):

import { poweredBy } from 'hono/powered-by'
import { secureHeaders } from 'hono/secure-headers'
 
app.use(poweredBy()) // Adds X-Powered-By: Hono
app.use(secureHeaders()) // Removes X-Powered-By for security
 
app.get('/', (c) => c.text('Hello!'))
// Response will NOT include X-Powered-By header

Secure Headers First, Then Powered-By Added

If you apply Secure Headers first, then Powered-By, the X-Powered-By header will be present:

import { poweredBy } from 'hono/powered-by'
import { secureHeaders } from 'hono/secure-headers'
 
app.use(secureHeaders()) // Applies security headers
app.use(poweredBy()) // Adds X-Powered-By: Hono
 
app.get('/', (c) => c.text('Hello!'))
// Response WILL include X-Powered-By: Hono

Security Considerations

The X-Powered-By header can reveal information about your server technology, which some consider a security risk through “security through obscurity” principles. Consider these points:

When to Use

  • Branding: You want to promote your framework or technology stack
  • Debugging: During development to quickly identify which server is responding
  • API versioning: To indicate which version of your API is running

When NOT to Use

  • Production security: If you’re following security best practices that recommend hiding server information
  • With Secure Headers: If you’re using Secure Headers middleware (which removes this header by default)
  • Compliance requirements: If your security policy prohibits revealing server technology

Alternative: Use Secure Headers

For production applications, consider using the Secure Headers middleware instead, which removes the X-Powered-By header along with other security enhancements:

import { secureHeaders } from 'hono/secure-headers'
 
app.use(secureHeaders())
// X-Powered-By will be removed, along with other security improvements

Examples

Development vs Production

You might want to use Powered-By in development but not in production:

import { poweredBy } from 'hono/powered-by'
import { secureHeaders } from 'hono/secure-headers'
 
const app = new Hono()
 
if (process.env.NODE_ENV === 'development') {
  app.use(poweredBy({ serverName: 'Hono Dev Server' }))
} else {
  app.use(secureHeaders())
}

Versioned API

import { poweredBy } from 'hono/powered-by'
 
const app = new Hono()
 
app.use('/api/v1/*', poweredBy({ serverName: 'MyAPI/1.0' }))
app.use('/api/v2/*', poweredBy({ serverName: 'MyAPI/2.0' }))
 
app.get('/api/v1/users', (c) => c.json({ version: 1 }))
app.get('/api/v2/users', (c) => c.json({ version: 2 }))

Multi-Service Architecture

import { poweredBy } from 'hono/powered-by'
 
const authApp = new Hono()
authApp.use(poweredBy({ serverName: 'Auth Service' }))
 
const apiApp = new Hono()
apiApp.use(poweredBy({ serverName: 'API Service' }))
 
const mainApp = new Hono()
mainApp.route('/auth', authApp)
mainApp.route('/api', apiApp)
  • Secure Headers - Comprehensive security headers including removal of X-Powered-By
  • Logger - Request logging middleware
Serve Static