51

Will this cause any harm? Does it serve any purpose other than tell browsers you have .net installed?

I like this article about changing the header to Pure Evil. Genius!

http://www.iishacks.com/index.php/2009/11/11/remove-x-powered-by-aspnet-http-response-header/

ScottE
  • 21,530
  • 18
  • 94
  • 131

4 Answers4

40

Add this to your web.config section

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
        </customHeaders>
    </httpProtocol>
</system.webServer>
Kevin Up
  • 791
  • 1
  • 6
  • 11
  • But this configuration will only affect the particular site, not all deployed application, am I right? – boleslaw.smialy Aug 25 '16 at 14:52
  • 4
    How could this answer have this many votes? This doesn't answer to the question at all. Did you even read the question? – Matthieu Charbonnier Dec 11 '17 at 14:56
  • 2
    @MatthieuCharbonnier And yet this is exactly the answer that I, and presumably lots of other people needed. It gets my vote. – user1751825 Jul 22 '18 at 21:27
  • @boleslaw.smialy you can change this setting on all configuration levels. Site `web.config` but also `applicationhost.config` (for all of them if inherited and not overwritten). In fact the applicationhost config is the one that adds it in the first place, which you can remove. – Kissaki May 25 '20 at 12:26
33

This header (and a few other headers) is not required or used by modern browsers and can safely be removed from the web site configuration in IIS without consequence. Other server-side languages also tend to include a "Powered by..." header that can be safely removed. Here is another article that claims the same thing:

https://web.archive.org/web/20210506093425/http://www.4guysfromrolla.com/articles/120209-1.aspx

[...]

The Server, X-Powered-By, X-AspNet-Version, and X-AspNetMvc-Version HTTP headers provide no direct benefit and unnecessarily chew up a small amount of bandwidth. Fortunately, these response headers can be removed with some configuration changes.

fletcher
  • 13,380
  • 9
  • 52
  • 69
6

Yes you can remove it,it will not affect anything. All x-headers are custom/non standard and informational only by definition. Browsers ignore them. The only thing it could affect is some kind of custom application that actually uses them for something e.g. a web crawler that gathers statistics on what technology is being used on what website might use the header to determine if a site uses asp.net. They don't actually do anything.

Ben Robinson
  • 21,601
  • 5
  • 62
  • 79
  • Anything to support this, or is this from personal experience? – ScottE Jul 30 '10 at 19:51
  • 1
    This is not a general rule that should be followed. X-Frame Options is an "x-header" that would have very real consequences for removing without understanding what you're doing. – Brad Apr 06 '21 at 20:00
3

Yes you can remove it and it will give away less information to automated hacking tools and here you have a tutorial how to get a rid of Server, X-AspNet-Version, X-AspNetMvc-Version (if you use ASP.NET MVC) and X-Powered-By

http://arturito.net/2011/10/21/how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7/

Artur Kedzior
  • 3,994
  • 1
  • 36
  • 58