How to remove server headers from IIS in ASP.NET MVC easily, need step by step guide?

How do I remove unnecessary HTTP Headers in IIS and ASP.NET application simply, please provide me step by step tutorial for improving security in this area?

I have already googled this and found few solutions but I need an easy tutorial, which can guide me to remove all unnecessary HTTP Headers from Response.

Any link or step by step guide will work.

Asked by:- bhanu

: 1073 At:- 5/26/2018 5:56:23 PM

ASP.NET C# remove unnecessary headers MVC

add comment to question

1 Answers

Answered by:- jaya

You can follow these easy steps to remove server response headers from IIS

Go to your Web.Config and use the below code in <system.webServer> to remove X-Powered-By: ASP.NET that indicates website is powered by ASP.NET
```
<httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
 </httpProtocol>?
```
Again in your Web.Config file inside <system.web> write
```
 <httpRuntime enableVersionHeader="false" />?
```
the above code will remove the X-AspNet-Version HTTP Header which broadcasts to the world what version of ASP.NET is being used by your web server.

Now you need to add a module in Web.Config inside <module> which should be placed inside <system.webServer> like below code

<system.webServer>  
    <modules>    

      <add name="CustomHeaderModule"
       type="YourProject.HelperMethods.CustomHeaderModule" />

 </modules>
</system.webServer>?

For this step, you need to create an extra Class file like below

using System;
using System.Web;

namespace YourProject.HelperMethods
{
    public class CustomHeaderModule : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += OnPreSendRequestHeaders;
        }

        public void Dispose() { }

        void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
           // removes "Server" details from response header
            HttpContext.Current.Response.Headers.Remove("Server");
        }
    }
}?

The Server header is automatically added to the outgoing response by IIS, so use the above method to remove it.

The final step, go to your Global.asax and place this line in your Application_Start() method
```
 MvcHandler.DisableMvcResponseHeader = true;?
```
The above code removes X-AspNetMvc-Version HTTP Header which is automatically added by the ASP.NET MVC framework. If you are not using ASP.NET MVC then this header won't be present. However, if you are using ASP.NET MVC and want to remove this header as mentioned above.

That's it, you are done, your web-application is more secure now.

You can also do these steps using C# code in your Global.asax like below

protected void Application_PreSendRequestHeaders()
{
  Response.Headers.Set("Server","New server");
  Response.Headers.Remove("X-AspNet-Version");
  Response.Headers.Remove("X-AspNetMvc-Version");
}

But it is not recommended, you can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests.