How to remove server headers from IIS in ASP.NET MVC easily, need step by step guide?

You can follow these easy steps to remove server response headers from IIS

• Go to your Web.Config and use the below code in <system.webServer> to remove X-Powered-By: ASP.NET that indicates website is powered by ASP.NET
  

  <httpProtocol>
        <customHeaders>
          <remove name="X-Powered-By" />
        </customHeaders>
   </httpProtocol>?

• Again in your Web.Config file inside <system.web> write
  

   <httpRuntime enableVersionHeader="false" />

  the above code will remove the X-AspNet-Version HTTP Header which broadcasts to the world what version of ASP.NET is being used by your web server.

• Now you need to add a module in Web.Config  inside <module> which should be placed inside <system.webServer> like below code
  

  <system.webServer>  
      <modules>    
  
        <add name="CustomHeaderModule"
         type="YourProject.HelperMethods.CustomHeaderModule" />
  
   </modules>
  </system.webServer>

  For this step, you need to create an extra Class file like below

  using System;
  using System.Web;
  
  namespace YourProject.HelperMethods
  {
      public class CustomHeaderModule : IHttpModule
      {
          public void Init(HttpApplication context)
          {
              context.PreSendRequestHeaders += OnPreSendRequestHeaders;
          }
  
          public void Dispose() { }
  
          void OnPreSendRequestHeaders(object sender, EventArgs e)
          {
             // removes "Server" details from response header
              HttpContext.Current.Response.Headers.Remove("Server");
          }
      }
  }?

  The Server header is automatically added to the outgoing response by IIS, so use the above method to remove it.

• The final step, go to your Global.asax  and place this line in your Application_Start() method
  

   MvcHandler.DisableMvcResponseHeader = true;

  The above code removes X-AspNetMvc-Version HTTP Header which is automatically added by the ASP.NET MVC framework. If you are not using ASP.NET MVC then this header won't be present. However, if you are using ASP.NET MVC and want to remove this header as mentioned above.

That's it, you are done, your web-application is more secure now.

You can also do these steps using C# code in your Global.asax like below

protected void Application_PreSendRequestHeaders()
{
  Response.Headers.Set("Server","New server");
  Response.Headers.Remove("X-AspNet-Version");
  Response.Headers.Remove("X-AspNetMvc-Version");
}

But it is not recommended, you can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests.

You can also use IIS URL Rewrite for IIS (UrlRewrite) after Download and Install IIS URL Rewrite, in the configuration section <configuration>  -> <system.webServer> -> <rewrite> add the outbound rule:

<outboundRules>
  <rule name="Remove RESPONSE_Server" >
    <match serverVariable="RESPONSE_Server" pattern=".+" />
    <action type="Rewrite" value="" />
  </rule>
</outboundRules>

This will blank server headers (not remove them).

If you are using IIS 10, then you can remove server headers using Web.Config also

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering removeServerHeader="true" />
        </security>
    </system.webServer>
</configuration>

To Disable version header, use

<system.web>
  ...
  <httpRuntime enableVersionHeader="false" />
  ...
</system.web>

To disable 'X-AspNetMvc-Version', add the below C# code in 'Application_Start'

MvcHandler.DisableMvcResponseHeader = true;

To remove 'X-Powered-By' custom header in web.config

<system.webServer>
  
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
  
</system.webServer>

If you are using Application Request Routing, it will add a Custom 'X-Powered-By' which you cannot remove using the above settings.

To remove that, you will have to enable configuration in IIS Root,then navigate to system.webServer/proxy node and set arrResponseHeader to false.

OR 

Follow these steps:

• Open "Internet Information Services (IIS) Manager" on your server.
• If you want to set the settings globally, click on your main server node then select the IIS Node
  
• Open the "Configuration Editor"
• To remove "x-aspnet-version" response header, navigate to System.web -> httpRuntime -> enableVersionHeader and set it to 'false' to disable server response header
  
• To remove the IIS 'Server' response header, navigate to System.webServer -> Security -> requestFiltering -> removeServerHeader and set it to 'true'
  

You can also set these settings on each individual websites if needed

OR

Using Registry 

Navigate to "HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters"

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

After adding the Registry key, restart the HTTP service using the net stop http command and the net start http command.

If the HTTP service doesn’t start up then use the iisreset command. If that also doesn’t work then you can restart the server.

Note: This method is used only when the Server header comes as "Microsoft-HTTPAPI/2.0".

In .NET Core 6, you can remove server headers using below code:

var builder = WebApplication.CreateBuilder(args);
builder.WebHost.UseKestrel(option => option.AddServerHeader = false);

Thanks.