How to remove server headers from IIS in ASP.NET MVC easily, need step by step guide?


How do I remove unnecessary HTTP Headers in IIS and ASP.NET application simply, please provide me step by step tutorial for improving security in this area?

I have already googled this and found few solutions but I need an easy tutorial, which can guide me to remove all unnecessary HTTP Headers from Response.

Any link or step by step guide will work.


Asked by:- bhanu
0
: 8667 At:- 5/26/2018 5:56:23 PM
ASP.NET C# remove unnecessary headers MVC







3 Answers
profileImage Answered by:- jaya

You can follow these easy steps to remove server response headers from IIS

  • Go to your Web.Config and use the below code in <system.webServer> to remove X-Powered-By: ASP.NET that indicates website is powered by ASP.NET
    <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
          </customHeaders>
     </httpProtocol>?
  • Again in your Web.Config file inside <system.web> write
     <httpRuntime enableVersionHeader="false" />

    the above code will remove the X-AspNet-Version HTTP Header which broadcasts to the world what version of ASP.NET is being used by your web server.

  • Now you need to add a module in Web.Config  inside <module> which should be placed inside <system.webServer> like below code
    <system.webServer>  
        <modules>    
    
          <add name="CustomHeaderModule"
           type="YourProject.HelperMethods.CustomHeaderModule" />
    
     </modules>
    </system.webServer>

    For this step, you need to create an extra Class file like below

    using System;
    using System.Web;
    
    namespace YourProject.HelperMethods
    {
        public class CustomHeaderModule : IHttpModule
        {
            public void Init(HttpApplication context)
            {
                context.PreSendRequestHeaders += OnPreSendRequestHeaders;
            }
    
            public void Dispose() { }
    
            void OnPreSendRequestHeaders(object sender, EventArgs e)
            {
               // removes "Server" details from response header
                HttpContext.Current.Response.Headers.Remove("Server");
            }
        }
    }?

    The Server header is automatically added to the outgoing response by IIS, so use the above method to remove it.

  • The final step, go to your Global.asax  and place this line in your Application_Start() method
     MvcHandler.DisableMvcResponseHeader = true;

    The above code removes X-AspNetMvc-Version HTTP Header which is automatically added by the ASP.NET MVC framework. If you are not using ASP.NET MVC then this header won't be present. However, if you are using ASP.NET MVC and want to remove this header as mentioned above.

That's it, you are done, your web-application is more secure now.

You can also do these steps using C# code in your Global.asax like below

protected void Application_PreSendRequestHeaders()
{
  Response.Headers.Set("Server","New server");
  Response.Headers.Remove("X-AspNet-Version");
  Response.Headers.Remove("X-AspNetMvc-Version");
}

But it is not recommended, you can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests.

You can also use IIS URL Rewrite for IIS (UrlRewrite) after Download and Install IIS URL Rewrite, in the configuration section <configuration>  -> <system.webServer> -> <rewrite> add the outbound rule:

<outboundRules>
  <rule name="Remove RESPONSE_Server" >
    <match serverVariable="RESPONSE_Server" pattern=".+" />
    <action type="Rewrite" value="" />
  </rule>
</outboundRules>

This will blank server headers (not remove them).

2
At:- 5/28/2018 7:51:32 AM Updated at:- 7/20/2022 3:43:06 PM
Thank you for your solid answer, it works for me :) 0
By : bhanu - at :- 6/1/2018 1:07:51 PM


profileImage Answered by:- bhanu

If you are using IIS 10, then you can remove server headers using Web.Config also

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering removeServerHeader="true" />
        </security>
    </system.webServer>
</configuration>

To Disable version header, use

<system.web>
  ...
  <httpRuntime enableVersionHeader="false" />
  ...
</system.web>

To disable 'X-AspNetMvc-Version', add the below C# code in 'Application_Start'

MvcHandler.DisableMvcResponseHeader = true;

To remove 'X-Powered-By' custom header in web.config

<system.webServer>
  
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
  
</system.webServer>

If you are using Application Request Routing, it will add a Custom 'X-Powered-By' which you cannot remove using the above settings.

To remove that, you will have to enable configuration in IIS Root,then navigate to system.webServer/proxy node and set arrResponseHeader to false.

OR 

Follow these steps:

  • Open "Internet Information Services (IIS) Manager" on your server.
  • If you want to set the settings globally, click on your main server node then select the IIS Node
    iis-global.png
  • Open the "Configuration Editor"
  • To remove "x-aspnet-version" response header, navigate to System.web -> httpRuntime -> enableVersionHeader and set it to 'false' to disable server response header
    disable-version-header-min.png
  • To remove the IIS 'Server' response header, navigate to System.webServer -> Security -> requestFiltering -> removeServerHeader and set it to 'true'
    remove-server-header-min.png

You can also set these settings on each individual websites if needed

OR

Using Registry 

Navigate to "HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters"

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

After adding the Registry key, restart the HTTP service using the net stop http command and the net start http command.

If the HTTP service doesn’t start up then use the iisreset command. If that also doesn’t work then you can restart the server.

Note: This method is used only when the Server header comes as "Microsoft-HTTPAPI/2.0".

0
At:- 5/13/2021 11:26:43 AM Updated at:- 5/13/2021 11:37:02 AM


profileImage Answered by:- jaiprakash

In .NET Core 6, you can remove server headers using below code:

var builder = WebApplication.CreateBuilder(args);
builder.WebHost.UseKestrel(option => option.AddServerHeader = false);

Thanks.

0
At:- 11/15/2022 3:39:36 PM






Login/Register to answer
Or
Register directly by posting answer/details

Full Name *

Email *




By posting your answer you agree on privacy policy & terms of use