OrchardCore: Should not use 'x-powered-by'

It’s documented how to disable it.

However we ask users not to do it as it allows us to know how many public websites are using orchardcore. We don’t have any data about our main website usage, we don’t do any pings back when you open the dashboard. We have literally nothing but this default header. But yet you can disable it with a simple boolean and again, it is documented.

does not provide any value to the user experience

How can we justify the time we spend on this product if there are no users of the product? This is our only way to justify what we do. When your customers ask why they should use Orchard, or if anyone else uses it, aren’t you happy we can give them some examples? When my managers ask me what’s the point of spending their budget on an open source project, I am glad I can give them some links to websites using our tech. If we don’t have that, and only rely on the good will of people mentioning the website they are deploying, I couldn’t work on it anymore.

contributes to header bloat

You can disable it if you really think so. But again, take a look at the size of your page, of the whole requests, even the smallest one. If you still can’t do it, disable it. But then please file an entry in https://showorchard.com

exposes information to potential attackers about the technology stack being used

Wrong. If one wants to hack a site there are many other ways to guess it. And usually hackers use bots to send the attack without even thinking about what tech is being. Just look at your web logs.

I think everything has been said and sorted out 😄

Excellent!

Would be much safer to be false by default.

for now:

app.UseOrchardCore()
  .UsePoweredByOrchardCore(false);