asp.net core remove X-Powered-By cannot be done in middleware

Question

Why can I not remove X-Powered-By as part of my middleware that I am executing? I can remove it if I put in the web.config but not if I put it in the middleware. I am removing another header in the middleware "Server" : "Kestrel" which works and tells me my middleware is being executed.

I am using Visual Studio 2015, ASP.Net Core Web Application (.NET Framework), 1.0.0-rc2-final

My middleware

public class ManageHttpHeadersMiddleware
{
    private RequestDelegate _next;

    public ManageHttpHeadersMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task Invoke(HttpContext context)
    {
        context.Response.OnStarting(() =>
        {
            context.Response.Headers.Remove("Server");
            context.Response.Headers.Remove("X-Powered-By");

            return Task.CompletedTask;
        });

        await _next(context);
    }
}

My Startup.Configure method looks like this

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        loggerFactory.AddSerilog(new LoggerConfiguration()
            .ReadFrom.ConfigurationSection(Configuration.GetSection("Serilog"))
            .CreateLogger())
            .AddDebug();

        app.UseMiddleware<ManageHttpHeadersMiddleware>();

        app.UseJwtBearerAuthentication();

        app.UseMvc();

        app.UseSwaggerGen();
        app.UseSwaggerUi();
    }

So my questions are :

Is it because of the order in which I am executing the middleware in the Startup.Configure ?
Is it because of the event I am executing in the middleware ? I have tried using OnCompleted but its obviously to late and does not then remove "Server" : "Kestrel"
Is it because its added by Kestrel or IIS in Azure and the only way to remove is via the web.config ?

I know that you could argue I have a work around and what's my problem, but it would be nice to achieve the same requirement in the same code location, to help maintainability, etc, etc.

This question is possible duplication http://stackoverflow.com/questions/38279974/how-to-remove-server-header-using-middleware. That question is ask by my self. I just want to know that are you able to remove Server header in middleware ? — dotnetstep, Aug 26 '16 at 23:22

dotnetstep · Answer 1 · 2016-08-27T05:25:20.097

For you query regarding X-Powered-By. You are right that you have to do it web.config file.( When you working with IIS ) and when any such header any by server you have to maintain manually or differently as this is not part of ASP.net core.

If you understand ASP.net core request pipeline when we host it is like

Browser - IIS - Kestrel (Windows)
Browse - NGinx - Kestrel (Linux)

When any request is process Kestrel then it handed over to IIS or Nginx and then it is possible that IIS or NGInx add header. X-Powered-By is such header. So we can remove it web.config or directly in IIS setting.

Note: As of now I feel that we will not get any such thing we have in old ASP.net / ASP.net MVC in which we create HTTPModule and we able to remove all type headers. That is possible over there because it is tightly integrated with IIS.

Note: I already put in comment but for more clarification that I was not able to remove Server header using Middleware. Even I tried your code. ( I have tried with IIS).

To remove Server header I have to do following thing.

new WebHostBuilder()
    .UseKestrel(c => c.AddServerHeader = false)

By dotnet core is not possible but by using module at iis level is possible. This is what I explain above — dotnetstep, Aug 20 '18 at 01:31

score 11 · Answer 2 · edited Oct 29 '19 at 23:19

11

We can remove X-Powered-By and other headers with web.config as it added again in asp.net core

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

edited Oct 29 '19 at 23:19

Elnoor

3,401
4
24
39

answered Nov 27 '16 at 03:11

Ahmar

3,717
2
24
42

6

There is no web.config in .net core applications – Elnoor Oct 23 '19 at 16:03
3

@Elnoor web config can be added to .net core application https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/transform-webconfig?view=aspnetcore-3.0 – Ahmar Oct 25 '19 at 17:40
1

oh sorry about that and than you – Elnoor Oct 29 '19 at 16:00

score 4 · Answer 3 · answered Mar 15 '21 at 19:32

Heres a complete web.config in the application root of a dotnet core 3.1 application that removes the X-Powered-By and Server headers. The other stuff is default when you add the file from Project > Add > New item > Web Config file

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <handlers>
      <remove name="aspNetCore" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="InProcess" />
    <httpProtocol>
      <!-- Remove X-Powered-By header -->
      <customHeaders>
        <remove name="X-Powered-By" />
        <remove name="Server" />
      </customHeaders>
    </httpProtocol>
    <security>
        <!-- Remove Server header-->
        <requestFiltering removeServerHeader ="true" />
    </security>
  </system.webServer>
</configuration>

This will work with IIS 10 and 10+ not below version. – Shakti Srivastav Aug 22 '23 at 07:41 — Shakti Srivastav, Aug 22 '23 at 07:41

asp.net core remove X-Powered-By cannot be done in middleware

3 Answers3