How do I remove unnecessary HTTP Headers in IIS and ASP.NET application simply, please provide me step by step tutorial for improving security in this area?
I have already googled this and found few solutions but I need an easy tutorial, which can guide me to remove all unnecessary HTTP Headers from Response.
Any link or step by step guide will work.
You can follow these easy steps to remove server response headers from IIS
<system.webServer>
to remove X-Powered-By: ASP.NET that indicates website is powered by ASP.NET<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>?
<system.web>
write <httpRuntime enableVersionHeader="false" />?
the above code will remove the X-AspNet-Version
HTTP Header which broadcasts to the world what version of ASP.NET is being used by your web server.
<system.webServer>
like below code<system.webServer>
<modules>
<add name="CustomHeaderModule"
type="YourProject.HelperMethods.CustomHeaderModule" />
</modules>
</system.webServer>?
For this step, you need to create an extra Class file like below
using System;
using System.Web;
namespace YourProject.HelperMethods
{
public class CustomHeaderModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += OnPreSendRequestHeaders;
}
public void Dispose() { }
void OnPreSendRequestHeaders(object sender, EventArgs e)
{
// removes "Server" details from response header
HttpContext.Current.Response.Headers.Remove("Server");
}
}
}?
The Server
header is automatically added to the outgoing response by IIS, so use the above method to remove it.
Application_Start()
method MvcHandler.DisableMvcResponseHeader = true;?
The above code removes X-AspNetMvc-Version
HTTP Header which is automatically added by the ASP.NET MVC framework. If you are not using ASP.NET MVC then this header won't be present. However, if you are using ASP.NET MVC and want to remove this header as mentioned above.
That's it, you are done, your web-application is more secure now.
You can also do these steps using C# code in your Global.asax like below
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Set("Server","New server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
But it is not recommended, you can use the PreSendRequestHeaders
and
PreSendRequestContext
events with native IIS modules, but do not use them with managed modules that implement
IHttpModule. Setting these properties can cause issues with
asynchronous requests.
Subscribe to our weekly Newsletter & Keep getting latest article/questions in your inbox weekly