.NET, Information Security

Hiding sensitive header response for IIS server

The purpose of this blog post is to discuss how to remove unwanted HTTP response headers from the response. Typically we have 3 response headers which many people want to remove for security reason.

  • Server – Specifies web server version.
  • X-Powered-By – Indicates that the website is “powered by ASP.NET.”
  • X-AspNet-Version – Specifies the version of ASP.NET used.

Before you go any further, you should evaluate whether or not you need to remove these headers. If you have decided to remove these headers because of a security scan on your site, you may want to read the following blog post by David Wang.

Usually this is how HTTP response looks like:

Response Header for IIS Application

Or something like this:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-UA-Compatible: IE=Edge,chrome=1
Date: Wed, 17 Mar 2016 10:07:37 GMT
Connection: close

1. Remove Server response header with outboundRule rewrite rules

Rewrite and remove Server: Response Header with the following IIS URLRewrite outboundRule:

  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_Server" pattern=".+" />
      <action type="Rewrite" value="Your Own Server Message" />

2. Remove X-Powered-By header in IIS using customHeaders

By default IIS tells the world it’s powered by ASP.NET, by placing an X-Powered-By header. This response header can be removed with a customHeaders setting in web.config, placed in the node:

    <remove name="X-Powered-By" />

3. X-AspNet-Version HTTP header

The X-AspNet-Version HTTP Header broadcasts to the world what version of ASP.NET is being used. Add the following content inside the <system.web> node in your application’s web.config file:

<httpRuntime enableVersionHeader="false" />

4. Remove HTTP headers in Global.asax

ASP.NET programmers may also remove or change server HTTP response headers through a global.asax file In your global.asax.cs add this:

protected void Application_PreSendRequestHeaders()
  // Response.Headers.Remove("Server");
  Response.Headers.Set("Server","My httpd server");

Hope it will help IIS Admin and web developers to hide server information and making hackers job little tougher 😉