What does "x-powered by" mean?

"X-Powered-By" is a common non-standard HTTP response header (most headers prefixed with an 'X-' are non-standard). It's often included by default in responses constructed via a particular scripting technology.

It's important to note that it can be disabled and/or manipulated by the server. Some servers chose not to include it or even to provide misleading information to throw off hackers that might target a particular technology/version.

If I wanted to send out that response header in a PHP script it's as simple as including the following code:

header('x-powered-by: ZendServer 8.5.0,ASP.NET');

It cannot necessarily be trusted. The server in question could very well be using some combination of technologies you mentioned, or perhaps neither. It can be a helpful start, but there is no way to definitively tell what scripting software is being used on a server simply from an HTTP response.

It – like all headers – is sent by the server (including any web application running on that server). Or it could be set by an intermediate proxy.

X-Powered-By is set by various servers to say what kind of server it is.

Software installed on that server might override the server's default.

There is an argument that giving this information to clients gives information that can only serve to help attackers (just a little bit: saves working out what kind of server).

Summary: set by server, at best informational, at worst could make attacks a tiny bit easier.

Which tool are you using to find out the technology behind a website. The website could be powered by several technologies at once. Here is a link to help you with it.