204

Each page in an MVC application I'm working with sets these HTTP headers in responses:

X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0

How do I prevent these from showing?

Paul Fryer
  • 9,268
  • 14
  • 61
  • 93

12 Answers12

344

X-Powered-By is a custom header in IIS. Since IIS 7, you can remove it by adding the following to your web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders

Add this to web.config to get rid of the X-AspNet-Version header:

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

Finally, to remove X-AspNetMvc-Version, edit Global.asax.cs and add the following in the Application_Start event:

protected void Application_Start()
{
    MvcHandler.DisableMvcResponseHeader = true;
}

You can also modify headers at runtime via the Application_PreSendRequestHeaders event in Global.asax.cs. This is useful if your header values are dynamic:

protected void Application_PreSendRequestHeaders(object source, EventArgs e)
{
      Response.Headers.Remove("foo");
      Response.Headers.Add("bar", "quux");
}
Ian Kemp
  • 28,293
  • 19
  • 112
  • 138
D'Arcy Rittich
  • 167,292
  • 40
  • 290
  • 283
  • 4
    +1 - For interest's sake, 1) Why would you? 2) Does it have any adverse affect? – BritishDeveloper Aug 05 '10 at 21:20
  • 77
    You do this for security reasons to obfuscate what technology you use to generate your web pages. This forces hackers to work a little harder. – D'Arcy Rittich Aug 05 '10 at 21:25
  • 24
    @BritishDeveloper This was a recommendation that came out of a security review. I guess its a best practice not to advertise your technology stack, because that helps hackers target specific vulnerabilities with that platform. – Paul Fryer Aug 05 '10 at 21:27
  • Although this answer was accepted long ago, I decided to add an updated and more detailed answer (see my answer below). Hope it helps. – RonyK Mar 03 '14 at 13:42
  • 6
    On IIS 8 this does not remove the `X-Powered-By` header. See other answers on how to achieve this in `web.config`. – Knelis Apr 23 '15 at 14:34
  • I had to put the `enableVersionHeader` to the web.config file. The header was still there if I only set the value to false in the `Configuration Editor` in IIS. Someone knows why? – krlzlx Apr 14 '16 at 10:15
  • I also added and that worked for me – Raver0124 Mar 04 '17 at 14:10
  • This only removes X-AspNet-Version – Moses Machua Nov 04 '17 at 14:43
  • it does not remove server name, is there any other suggestion to make it remove the server IIS 7? @RedFilter – neda Derakhshesh Jun 20 '18 at 12:03
  • 1
    Don't use code to remove response headers. It is unstable according this https://learn.microsoft.com/en-us/aspnet/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet-and-what-to-do-instead#presend Use the web config custom headers instead: https://www.saotn.org/remove-iis-server-version-http-response-header/#remove-server-response-header-with-an-outboundrule-url-rewrite-rule My take on this https://stackoverflow.com/a/51639886/2142001 – mitaka Aug 01 '18 at 18:20
  • Removing it in web.config was not working for ServiceStack X-Powered-By headers. This took care of it though. I am going to take a deep breath and hope for the best. I'll report back if I see crashed. – Brandon Barkley Mar 20 '20 at 15:07
114

You can also remove them by adding code to your global.asax file:

 protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
   HttpContext.Current.Response.Headers.Remove("X-Powered-By");
   HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
   HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
   HttpContext.Current.Response.Headers.Remove("Server");
 }
bkaid
  • 51,465
  • 22
  • 112
  • 128
  • 31
    In my case only the last three worked, for "X-Powered-By" I still needed ` ` – Frank van Eykelen May 29 '12 at 11:30
  • 2
    In my case none of the above headers were removed. i am using .net 4.0 and IIS 7. Thanks to other comments in this thread. I have managed to remove all unwanted headers with the exception of "Server" which is the worst case. – Farjad Apr 19 '13 at 12:02
  • 5
    Does it work against your content files/images/etc that aren't going through the code path? – Mark Sowul Oct 22 '15 at 15:46
  • what did you put in the "Server" ? should it be like this? Response.Headers.Remove("Server: Microsoft-IIS/7.0"); ? or it should be "Server" ? please help – neda Derakhshesh Jun 19 '18 at 10:59
  • odd to anyone else that "PreSendRequestHeaders" is actually pre send response headers? – JDPeckham Apr 23 '19 at 20:02
  • 1
    HttpContext.Current is null at this event (.net 4.7 vs2017) – JDPeckham Apr 23 '19 at 20:08
51

I found this configuration in my web.config which was for a New Web Site... created in Visual Studio (as opposed to a New Project...). Since the question states a ASP.NET MVC application, not as relevant, but still an option.

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <clear />
      <remove name="X-Powered-By" />
    </customHeaders>
   </httpProtocol>
</system.webServer>

Update: Also, Troy Hunt has an article titled Shhh… don’t let your response headers talk too loudly with detailed steps on removing these headers as well as a link to his ASafaWeb tool for scanning for them and other security configurations.

Kevin Hakanson
  • 41,386
  • 23
  • 126
  • 155
  • 5
    Best option but requires iis7+ You need not them... remove is enough.. also you might want to add this to system.webserver to remove another vulnerability: `code` `code` – felickz Jun 10 '13 at 15:03
  • I think the element clears all headers, including the 'X-Powererd-By', so the element is redundant. – Jan H Feb 12 '20 at 11:24
  • @JanH, no it only undoes any custom header rules that have already been applied (usually from a config in a parent directory, or from the server itself). Basically, the "clear" element tells IIS to treat custom headers as if nothing has adding anything yet that would affect the site/application in question. – Eric Mar 17 '22 at 20:17
36

.NET Core

To remove the Server header, within the Program.cs file, add the following option:

.UseKestrel(opt => opt.AddServerHeader = false)

For dot net core 1, put add the option inside the .UseKestrel() call. For dot net core 2, add the line after UseStartup().

To remove X-Powered-By header, if deployed to IIS, edit your web.config and add the following section inside the system.webServer tag:

<httpProtocol>
    <customHeaders>
        <remove name="X-Powered-By" />
    </customHeaders>
</httpProtocol>

.NET 4.5.2

To remove the Server header, within your global.asax file add the following:

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        string[] headers = { "Server", "X-AspNet-Version" };

        if (!Response.HeadersWritten)
        {
            Response.AddOnSendingHeaders((c) =>
            {
                if (c != null && c.Response != null && c.Response.Headers != null)
                {
                    foreach (string header in headers)
                    {
                        if (c.Response.Headers[header] != null)
                        {
                            c.Response.Headers.Remove(header);
                        }
                    }
                }
            });
        }

    }

Pre .NET 4.5.2

Add the following c# class to your project:

public class RemoveServerHeaderModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    }

    public void Dispose() { }

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        HttpContext.Current.Response.Headers.Remove("Server");
    }
}

and then within your web.config add the following <modules> section:

<system.webServer>
    ....
 <modules>
    <add name="RemoveServerHeaderModule" type="MyNamespace.RemoveServerHeaderModule" />
 </modules>

However I had a problem where sub-projects couldn't find this module. Not fun.

Removing X-AspNetMvc-Version header

To remove the ''X-AspNetMvc-Version'' tag, for any version of .NET, modify your ''web.config'' file to include:

<system.web>
...
   <httpRuntime enableVersionHeader="false" />
...
</system.web>

Thanks Microsoft for making this unbelievably difficult. Or maybe that was your intention so that you could track IIS and MVC installs across the world ...

Rocklan
  • 7,888
  • 3
  • 34
  • 49
  • 6
    In this day and age this is considered a "worst practise" and it's hard to believe Microsoft still makes "insecure" the default and so tricky to opt in to "secure". It reminds me of how Windows hides the common file extensions by default so unsuspecting users will click on viruses. I seem to recall Bill Gates announcing "secure by default" in 2003 - whatever happened to that idea? – mike nelson Oct 18 '17 at 18:22
  • 2
    @mikenelson if it makes you feel any better, trying to remove the Server tag in nginx is just as difficult - I ended up having to hack the actual source code itself. – Rocklan Oct 19 '17 at 01:22
  • About `RemoveServerHeaderModule` it's not gonna work in WebApi project. – krypru Jun 04 '18 at 11:44
  • Your last section removes the `X-AspNet-Version` header, not the `X-AspNetMvc-Version` header. – Suncat2000 Feb 22 '23 at 20:55
33

As described in Cloaking your ASP.NET MVC Web Application on IIS 7, you can turn off the X-AspNet-Version header by applying the following configuration section to your web.config:

<system.web> 
  <httpRuntime enableVersionHeader="false"/> 
</system.web>

and remove the X-AspNetMvc-Version header by altering your Global.asax.cs as follows:

protected void Application_Start() 
{ 
    MvcHandler.DisableMvcResponseHeader = true; 
}

As described in Custom Headers You can remove the "X-Powered-By" header by applying the following configuration section to your web.config:

<system.webServer>
   <httpProtocol>
      <customHeaders>
         <clear />
      </customHeaders>
   </httpProtocol>
</system.webServer>

There is no easy way to remove the "Server" response header via configuration, but you can implement an HttpModule to remove specific HTTP Headers as described in Cloaking your ASP.NET MVC Web Application on IIS 7 and in how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7.

JJS
  • 6,431
  • 1
  • 54
  • 70
RonyK
  • 2,644
  • 5
  • 32
  • 42
  • Using bkaid answer I am able to remove "Server" header. IIS 8. – tmorell May 08 '14 at 03:12
  • bkaid answer is fine, but it requires coding, so I found the solution I described as more convenient, since it's configuration based. – RonyK Jul 14 '14 at 15:28
15

As shown on Removing standard server headers on Windows Azure Web Sites page, you can remove headers with the following:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <clear />
      </customHeaders>
    </httpProtocol>
    <security>
      <requestFiltering removeServerHeader="true"/>
    </security>
  </system.webServer>
  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>
</configuration>

This removes the Server header, and the X- headers.

This worked locally in my tests in Visual Studio 2015.

Additional References:

Eric Dunaway
  • 406
  • 6
  • 14
  • 7
    Adding removeServerHeader="true" gave me a 500 error on my ASP.NET 4.5.3 app – Rocklan Jan 21 '16 at 06:28
  • 4
    @LachlanB this was added in IIS 10: _IIS 10.0 added the removeServerHeader attribute to suppress sending the HTTP server header to remote clients._ Source: https://www.iis.net/configreference/system.webserver/security/requestfiltering – SynerCoder Aug 03 '16 at 11:59
  • 3
    I love that the Azure page provides _screenshots_ rather than code blocks. They literally do everything they can to make removing these unnecessary and potentially dangerous tags as difficult as possible. Also, I can't believe I'm referencing a three-year-old SO question to correct this issue, which shows no signs of being corrected. – Synctrex Aug 14 '18 at 15:36
  • 2
    I think the this Web.config does not remove the X-AspNetMvc-Version header. To remove that one we need to add something in the Global.asax https://stackoverflow.com/a/20739875/1678525 – Jan H Feb 12 '20 at 12:48
8

In Asp.Net Core you can edit the web.config files like so:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

You can remove the server header in the Kestrel options:

            .UseKestrel(c =>
            {
                // removes the server header
                c.AddServerHeader = false;
            })
Darxtar
  • 2,022
  • 22
  • 21
6

Check this blog Don't use code to remove headers. It is unstable according Microsoft

My take on this:

<system.webServer>          
    <httpProtocol>
    <!-- Security Hardening of HTTP response headers -->
    <customHeaders>
        <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent 
                Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
        <add name="X-Content-Type-Options" value="nosniff" />

        <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. 
                 By preventing a browser from framing your site you can defend against attacks like clickjacking. 
                 Recommended value "x-frame-options: SAMEORIGIN" -->
        <add name="X-Frame-Options" value="SAMEORIGIN" />

        <!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that 
                 they should only read the master crossdomain.xml file from the root of the website. 
                 https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
        <add name="X-Permitted-Cross-Domain-Policies" value="master-only" />

        <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. 
                 Recommended value "X-XSS-Protection: 1; mode=block". -->
        <add name="X-Xss-Protection" value="1; mode=block" />

        <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. 
                 If you have sensitive information in your URLs, you don't want to forward to other domains 
                 https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
        <add name="Referrer-Policy" value="no-referrer-when-downgrade" />

        <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
        <remove name="X-Powered-By" />

        <!-- Ensure the cache-control is public, some browser won't set expiration without that  -->
        <add name="Cache-Control" value="public" />
    </customHeaders>
</httpProtocol>

<!-- Prerequisite for the <rewrite> section
            Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
    <!-- Remove Server response headers (OWASP Security Measure) -->
    <outboundRules rewriteBeforeCache="true">
        <rule name="Remove Server header">
            <match serverVariable="RESPONSE_Server" pattern=".+" />

            <!-- Use custom value for the Server info -->
            <action type="Rewrite" value="Your Custom Value Here." />
        </rule>
    </outboundRules>
</rewrite>
</system.webServer>
mitaka
  • 2,159
  • 1
  • 30
  • 30
4

For the sake of completeness, there is another way to remove the Server header, using regedit.

See this MSDN blog.

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

I'd rather find a proper solution using the Web.config, but using <rewrite> is not good because it requires the rewrite module to be installed, and even then it won't really remove the header, just empty it.

Community
  • 1
  • 1
Rudey
  • 4,717
  • 4
  • 42
  • 84
  • If this works it sounds like a good solution for my case. I have 30 websites in different versions of .net and so would need 3 different ways of removing the headers and updating code in all these sites. I'd rather have a config setting or registry than having to modify code. – mike nelson Oct 18 '17 at 18:27
  • I applied this successfully two days ago, works great. – Rudey Oct 18 '17 at 20:48
  • This didn't work for me. I restarted the server after adding the key. Did I miss anything? – Noobie3001 Nov 07 '21 at 12:14
3

You can change any header or anything in Application_EndRequest() try this

protected void Application_EndRequest()
{
    // removing excessive headers. They don't need to see this.
    Response.Headers.Remove("header_name");
}
Emdadul Sawon
  • 5,730
  • 3
  • 45
  • 48
1

The X-Powered-By header is added by IIS to the HTTP response, so you can remove it even on server level via IIS Manager:

You can use the web.config directly:

<system.webServer>
   <httpProtocol>
     <customHeaders>
       <remove name="X-Powered-By" />
     </customHeaders>
   </httpProtocol>
</system.webServer>
Jean-François Corbett
  • 37,420
  • 30
  • 139
  • 188
Mahesh Sdsraju
  • 53
  • 6
0

These directions apply to IIS 10.0 only.

  1. Open the web.config file located in the root directory for the Orion website.

  2. Configure requestFiltering in the web.config system.webServer node:

    
<security>
    <requestFiltering removeServerHeader ="true" />
</security>

  3. Save the file and restart your IIS app.

Full code with Powered By removing:

  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
Vladyslav Fomin
  • 121
  • 1
  • 6