How to remove server headers from IIS in ASP.NET MVC easily, need step by step guide?


How do I remove unnecessary HTTP Headers in IIS and ASP.NET application simply, please provide me step by step tutorial for improving security in this area?

I have already googled this and found few solutions but I need an easy tutorial, which can guide me to remove all unnecessary HTTP Headers from Response.

Any link or step by step guide will work.


Asked by:- bhanu
0
: 347 At:- 5/26/2018 5:56:23 PM
ASP.NET C# remove unnecessary headers MVC






1 Answers
profileImage Answered by:- jaya

You can follow these easy steps to remove server response headers from IIS

  • Go to your Web.Config and use the below code in <system.webServer> to remove X-Powered-By: ASP.NET that indicates website is powered by ASP.NET
    <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
          </customHeaders>
     </httpProtocol>?
  • Again in your Web.Config file inside <system.web> write
     <httpRuntime enableVersionHeader="false" />?

    the above code will remove the X-AspNet-Version HTTP Header which broadcasts to the world what version of ASP.NET is being used by your web server.

  • Now you need to add a module in Web.Config  inside <module> which should be placed inside <system.webServer> like below code
    <system.webServer>  
        <modules>    
    
          <add name="CustomHeaderModule"
           type="YourProject.HelperMethods.CustomHeaderModule" />
    
     </modules>
    </system.webServer>?

    For this step, you need to create an extra Class file like below

    using System;
    using System.Web;
    
    namespace YourProject.HelperMethods
    {
        public class CustomHeaderModule : IHttpModule
        {
            public void Init(HttpApplication context)
            {
                context.PreSendRequestHeaders += OnPreSendRequestHeaders;
            }
    
            public void Dispose() { }
    
            void OnPreSendRequestHeaders(object sender, EventArgs e)
            {
               // removes "Server" details from response header
                HttpContext.Current.Response.Headers.Remove("Server");
            }
        }
    }?

    The Server header is automatically added to the outgoing response by IIS, so use the above method to remove it.

  • The final step, go to your Global.asax  and place this line in your Application_Start() method
     MvcHandler.DisableMvcResponseHeader = true;?

    The above code removes X-AspNetMvc-Version HTTP Header which is automatically added by the ASP.NET MVC framework. If you are not using ASP.NET MVC then this header won't be present. However, if you are using ASP.NET MVC and want to remove this header as mentioned above.

That's it, you are done, your web-application is more secure now.

You can also do these steps using C# code in your Global.asax like below

protected void Application_PreSendRequestHeaders()
{
  Response.Headers.Set("Server","New server");
  Response.Headers.Remove("X-AspNet-Version");
  Response.Headers.Remove("X-AspNetMvc-Version");
}

But it is not recommended, you can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests.

2
At:- 5/28/2018 7:51:32 AM
Thank you for your solid answer, it works for me :) 0
By : bhanu - at :- 6/1/2018 1:07:51 PM





Login/Register to answer
Or
Register directly by posting answer/details

Full Name *

Email *




By posting your answer you agree on privacy policy & terms of use