How to remove ASP Net MVC Default HTTP Headers

Question

Each page in an MVC application I m working with sets these HTTP headers in responses   X-Powered-By  ASP NET X-AspNet-Version  2 0 50727 X-AspNetMvc-Version  2 0   How do I prevent these from showing

User · Accepted Answer

X-Powered-By is a custom header in IIS  Since IIS 7  you can remove it by adding the following to your web config    lt system webServer gt     lt httpProtocol gt       lt customHeaders gt         lt remove name  X-Powered-By    gt       lt  customHeaders gt     lt  httpProtocol gt   lt  system webServer gt    This header can also be modified to your needs  for more information refer to http   www iis net ConfigReference system webServer httpProtocol customHeaders    Add this to web config to get rid of the X-AspNet-Version header    lt system web gt     lt httpRuntime enableVersionHeader  false    gt   lt  system web gt      Finally  to remove X-AspNetMvc-Version  edit Global asax cs and add the following in the Application Start event   protected void Application Start         MvcHandler DisableMvcResponseHeader   true        You can also modify headers at runtime via the Application PreSendRequestHeaders event in Global asax cs  This is useful if your header values are dynamic   protected void Application PreSendRequestHeaders object source  EventArgs e          Response Headers Remove  foo          Response Headers Add  bar    quux

User · Answer

You can also remove them by adding code to your global asax file    protected void Application PreSendRequestHeaders object sender  EventArgs e        HttpContext Current Response Headers Remove  X-Powered-By       HttpContext Current Response Headers Remove  X-AspNet-Version       HttpContext Current Response Headers Remove  X-AspNetMvc-Version       HttpContext Current Response Headers Remove  Server

User · Answer

You can change any header or anything in Application EndRequest   try this  protected void Application EndRequest            removing excessive headers  They don t need to see this      Response Headers Remove  header name

User · Answer

Check this blog Don t use code to remove headers  It is unstable according Microsoft   My take on this    lt system webServer gt                 lt httpProtocol gt       lt  -- Security Hardening of HTTP response headers -- gt       lt customHeaders gt           lt  --Sending the new X-Content-Type-Options response header with the value  nosniff  will prevent                  Internet Explorer from MIME-sniffing a response away from the declared content-type  -- gt           lt add name  X-Content-Type-Options  value  nosniff    gt            lt  -- X-Frame-Options tells the browser whether you want to allow your site to be framed or not                    By preventing a browser from framing your site you can defend against attacks like clickjacking                    Recommended value  x-frame-options  SAMEORIGIN  -- gt           lt add name  X-Frame-Options  value  SAMEORIGIN    gt            lt  -- Setting X-Permitted-Cross-Domain-Policies header to    master-only    will instruct Flash and PDF files that                   they should only read the master crossdomain xml file from the root of the website                    https   www adobe com devnet articles crossdomain policy file spec html -- gt           lt add name  X-Permitted-Cross-Domain-Policies  value  master-only    gt            lt  -- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers                    Recommended value  X-XSS-Protection  1  mode block   -- gt           lt add name  X-Xss-Protection  value  1  mode block    gt            lt  -- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites                    If you have sensitive information in your URLs  you don t want to forward to other domains                   https   scotthelme co uk a-new-security-header-referrer-policy  -- gt           lt add name  Referrer-Policy  value  no-referrer-when-downgrade    gt            lt  -- Remove x-powered-by in the response header  required by OWASP A5 2017 - Do not disclose web server configuration -- gt           lt remove name  X-Powered-By    gt            lt  -- Ensure the cache-control is public  some browser won t set expiration without that  -- gt           lt add name  Cache-Control  value  public    gt       lt  customHeaders gt   lt  httpProtocol gt    lt  -- Prerequisite for the  lt rewrite gt  section             Install the URL Rewrite Module on the Web Server https   www iis net downloads microsoft url-rewrite -- gt   lt rewrite gt       lt  -- Remove Server response headers  OWASP Security Measure  -- gt       lt outboundRules rewriteBeforeCache  true  gt           lt rule name  Remove Server header  gt               lt match serverVariable  RESPONSE Server  pattern        gt                lt  -- Use custom value for the Server info -- gt               lt action type  Rewrite  value  Your Custom Value Here     gt           lt  rule gt       lt  outboundRules gt   lt  rewrite gt   lt  system webServer gt

User · Answer

The X-Powered-By header is added by IIS to the HTTP response  so you can remove it even on server level via IIS Manager   You can use the web config directly    lt system webServer gt      lt httpProtocol gt        lt customHeaders gt          lt remove name  X-Powered-By    gt        lt  customHeaders gt      lt  httpProtocol gt   lt  system webServer gt

User · Answer

As shown on Removing standard server headers on Windows Azure Web Sites page  you can remove headers with the following    lt  xml version  1 0  encoding  utf-8   gt   lt configuration gt     lt system webServer gt       lt httpProtocol gt         lt customHeaders gt           lt clear   gt         lt  customHeaders gt       lt  httpProtocol gt       lt security gt         lt requestFiltering removeServerHeader  true   gt       lt  security gt     lt  system webServer gt     lt system web gt       lt httpRuntime enableVersionHeader  false    gt     lt  system web gt   lt  configuration gt    This removes the Server header  and the X- headers   This worked locally in my tests in Visual Studio 2015

User · Answer

NET Core   To remove the Server header  within the Program cs file  add the following option    UseKestrel opt   gt  opt AddServerHeader   false    For dot net core 1  put add the option inside the  UseKestrel   call  For dot net core 2  add the line after UseStartup      To remove X-Powered-By header  if deployed to IIS  edit your web config and add the following section inside the system webServer tag    lt httpProtocol gt       lt customHeaders gt           lt remove name  X-Powered-By    gt       lt  customHeaders gt   lt  httpProtocol gt        NET 4 5 2   To remove the Server header  within your global asax file add the following       protected void Application BeginRequest object sender  EventArgs e                string   headers      Server    X-AspNet-Version              if   Response HeadersWritten                        Response AddOnSendingHeaders  c    gt                                if  c    null  amp  amp  c Response    null  amp  amp  c Response Headers    null                                        foreach  string header in headers                                                if  c Response Headers header     null                                                        c Response Headers Remove header                                                                                                           Pre  NET 4 5 2   Add the following c  class to your project   public class RemoveServerHeaderModule   IHttpModule       public void Init HttpApplication context                context PreSendRequestHeaders    OnPreSendRequestHeaders             public void Dispose            void OnPreSendRequestHeaders object sender  EventArgs e                HttpContext Current Response Headers Remove  Server              and then within your web config add the following  lt modules gt  section    lt system webServer gt             lt modules gt       lt add name  RemoveServerHeaderModule  type  MyNamespace RemoveServerHeaderModule    gt    lt  modules gt    However I had a problem where sub-projects couldn t find this module  Not fun    Removing X-AspNetMvc-Version header  To remove the   X-AspNetMvc-Version   tag  for any version of  NET  modify your   web config   file to include    lt system web gt          lt httpRuntime enableVersionHeader  false    gt       lt  system web gt    Thanks Microsoft for making this unbelievably difficult  Or maybe that was your intention so that you could track IIS and MVC installs across the world

User · Answer

For the sake of completeness  there is another way to remove the Server header  using regedit  See this MSDN blog   Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1  HKLM SYSTEM CurrentControlSet Services HTTP Parameters  I d rather find a proper solution using the Web config  but using  lt rewrite gt  is not good because it requires the rewrite module to be installed  and even then it won t really remove the header  just empty it

User · Answer

As described in Cloaking your ASP NET MVC Web Application on IIS 7  you can turn off the X-AspNet-Version header by applying the following configuration section to your web config    lt system web gt      lt httpRuntime enableVersionHeader  false   gt    lt  system web gt    and remove the X-AspNetMvc-Version header by altering your Global asax cs as follows   protected void Application Start           MvcHandler DisableMvcResponseHeader   true       As described in Custom Headers  You can remove the  X-Powered-By  header by applying the following configuration section to your web config    lt system webServer gt      lt httpProtocol gt         lt customHeaders gt            lt clear   gt         lt  customHeaders gt      lt  httpProtocol gt   lt  system webServer gt    There is no easy way to remove the  Server  response header via configuration  but you can implement an HttpModule to remove specific HTTP Headers as described in Cloaking your ASP NET MVC Web Application on IIS 7 and in how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7

User · Answer

In Asp Net Core you can edit the web config files like so    lt httpProtocol gt     lt customHeaders gt       lt remove name  X-Powered-By    gt     lt  customHeaders gt   lt  httpProtocol gt    You can remove the server header in the Kestrel options                UseKestrel c   gt                                   removes the server header                 c AddServerHeader   false

User · Answer

I found this configuration in my web config which was for a New Web Site    created in Visual Studio  as opposed to a New Project       Since the question states a ASP NET MVC application  not as relevant  but still an option    lt system webServer gt     lt httpProtocol gt       lt customHeaders gt         lt clear   gt         lt remove name  X-Powered-By    gt       lt  customHeaders gt      lt  httpProtocol gt   lt  system webServer gt    Update  Also  Troy Hunt has an article titled Shhh    don   t let your response headers talk too loudly with detailed steps on removing these headers as well as a link to his ASafaWeb tool for scanning for them and other security configurations

[asp.net-mvc] How to remove ASP.Net MVC Default HTTP Headers?

Examples related to asp.net-mvc

Examples related to security

Examples related to http-headers