Hey everyone, I’m tightening up the security posture of my Directus setup and noticed that Directus includes several default response headers, such as:
-
X-Powered-By: Directus -
Other framework‑identifying headers added by the backend
I’m trying to reduce or remove framework‑disclosure headers where possible, but I’m not finding a clear, centralized reference on what Directus allows you to override.
My questions for the community
-
Which Directus response headers can be safely disabled or overridden using environment variables or configuration?
-
Is there a supported way to remove or suppress
X-Powered-By: Directus? -
Are there any best‑practice recommendations for hardening Directus headers in production?
I’m mainly trying to ensure that Directus isn’t exposing unnecessary information about the underlying stack, and I’d love to hear how others approach header hardening in production environments.
Thanks in advance, any guidance or examples would be super helpful.