The purpose of this blog post is to discuss how to remove unwanted HTTP response headers from the response. Typically we have 3 response headers which many people want to remove for security reason.
- Server – Specifies web server version.
- X-Powered-By – Indicates that the website is “powered by ASP.NET.”
- X-AspNet-Version – Specifies the version of ASP.NET used.
Before you go any further, you should evaluate whether or not you need to remove these headers. If you have decided to remove these headers because of a security scan on your site, you may want to read the following blog post by David Wang.
Usually this is how HTTP response looks like:
Or something like this:
HTTP/1.1 200 OK Content-Length: 0 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-UA-Compatible: IE=Edge,chrome=1 Date: Wed, 17 Mar 2016 10:07:37 GMT Connection: close
1. Remove Server response header with outboundRule rewrite rules
Rewrite and remove Server: Response Header with the following IIS URLRewrite outboundRule:
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="Your Own Server Message" />
2. Remove X-Powered-By header in IIS using customHeaders
By default IIS tells the world it’s powered by ASP.NET, by placing an X-Powered-By header. This response header can be removed with a customHeaders setting in web.config, placed in the node:
<remove name="X-Powered-By" />
3. X-AspNet-Version HTTP header
The X-AspNet-Version HTTP Header broadcasts to the world what version of ASP.NET is being used. Add the following content inside the <system.web> node in your application’s web.config file:
<httpRuntime enableVersionHeader="false" />
4. Remove HTTP headers in Global.asax
ASP.NET programmers may also remove or change server HTTP response headers through a global.asax file In your global.asax.cs add this:
protected void Application_PreSendRequestHeaders()
Response.Headers.Set("Server","My httpd server");
Hope it will help IIS Admin and web developers to hide server information and making hackers job little tougher 😉