How do I remove headers from my Web API response?

Question

New Web API 2.0 project so we have full control over the entire request / response pipeline.

How do we remove the "X-" headers from a response sent by ASP.NET Web API response? Specifically, at the moment and always subject to change, we want to remove "X-AspNet-Version", "X-Powered-By", and "X-SourceFiles".

We tried result.Headers.Remove("X-AspNet-Version"); before returning the HttpResponseMessage from the controller. That didn't work as the headers still appeared in Fiddler. I also didn't find any headers anywhere on the HttpResponseMessage object. To me, this indicated I may need to dig deeper into the pipeline but I'm not sure where to start or if that's correct.

Did you try any of these? http://stackoverflow.com/questions/3418557/how-to-remove-asp-net-mvc-default-http-headers — Slippery Pete, Aug 21 '14 at 21:04
Do not worry about "X-SourceFiles", as they are only sent to requests from localhost. — Doug, Nov 26 '15 at 13:43

score 4 · Answer 1 · edited May 23 '17 at 12:18

Solution-1

From this answer

The "powered by" is a custom header in IIS. Changing it depends on the version of IIS you are using. For some information on how to modify or remove, see here:

To remove the MVC header, In Global.asax, in the Application Start event:

MvcHandler.DisableMvcResponseHeader = true;

Put this in the web.config get rid of the X-AspNet-Version header:

<system.web>
    <httpRuntime enableVersionHeader="false" />
</system.web>

Solution-2

You can change any header or anything in Application_EndRequest() try this

protected void Application_EndRequest()
{
    // removing excessive headers. They don't need to see this.
    Response.Headers.Remove("header_name");
}

All worked in Web Api 2 thanks, except `MvcHandler.DisableMvcResponseHeader = true;` and `x-powered-by` wasn't shown in the list of headers in `Application_EndRequest` — Ian, Sep 07 '17 at 13:08

score 3 · Answer 2 · answered Jul 21 '16 at 15:11

Alternative solution I implemented is to define your own Http module and remove headers in OnPreSendRequestHeaders handler. This removes headers from all ASP.NET and Web API requests as well as static content requests. And you can reuse it in multiple projects.

public class RemoveHttpHeadersModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        Guard.ArgumentNotNull(context, "context");

        context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    }

    public void Dispose() { }

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        var application = sender as HttpApplication;

        if (application != null)
        {
            HttpResponse response = application.Response;
            response.Headers.Remove("Server");
            response.Headers.Remove("X-Powered-By");
        }
    }
}

score 2 · Answer 3 · answered Mar 23 '16 at 07:44

2

If you are using Owin, you can add this to your startup class to remove the 'Server' header.

        app.Use((context, next) =>
        {
            context.Response.Headers.Remove("Server");
            return next.Invoke();
        });
        app.UseStageMarker(PipelineStage.PostAcquireState);

answered Mar 23 '16 at 07:44

Ger Groot

1,071
11
7

1

Are you self-hosting or hosting in IIS? Does not seem to work in self-hosted OWIN api – Sudhanshu Mishra May 19 '16 at 03:14
1

I'm using WebApi2 with OWIN and this doesn't work – Ian Sep 07 '17 at 12:57

score 1 · Answer 4 · edited May 23 '17 at 12:26

1

As pointed out by Slippery Pete, this question has been answered at How to remove ASP.Net MVC Default HTTP Headers?

Another solution would be to modify the request at the EndRequest signal as shown here http://tech.trailmax.info/2013/02/remove-server-http-header-from-asp-net-mvc-application/

edited May 23 '17 at 12:26

Community

1
1

answered Aug 22 '14 at 04:51

Joona Romppanen

66
6

How do I remove headers from my Web API response?

4 Answers4

Solution-1

Solution-2