13

I need to cloak certain headers generated by ASP.NET and IIS and returned in the responses from a ASP.NET WebAPI service. The headers I need to cloak are:

  • Server
  • X-AspNet-Version
  • X-AspNetMvc-Version
  • X-Powered-By

The service was earlier hosted in WCF, and the cloaking was done in an HttpModule by subscribing to PreSendRequestHeaders and manipulating HttpContext.Current.Response.Headers. With ASP.NET WebAPI everything is now task based, so HttpContext.Current is null. I tried to insert a message handler and manipulate the returned HttpResponseMessage, but the headers were not present on that stage. X-Powered-By can be removed in the IIS settings, but what is the suggested way to remove the rest of them?

Hendrik W. Hansen
  • 391
  • 1
  • 3
  • 14

4 Answers4

11

The problem is each one is added at a different point:

  • Server: added by IIS. Not exactly sure if it can be turned off although you seem to have been to remove it using HttpModule .
  • X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
  • X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll. It can be overridden so this one should be OK.
  • X-Powered-By by IIS but can be turned off as you said.

I think your best bet is still using HttpModules.

Aliostad
  • 80,612
  • 21
  • 160
  • 208
  • 1
    You were right. I was able to remove them all (including Server) in the HttpModule. The only problem was how I got a reference to the HttpContext: HttpContext.Current returns null, but HttpApplication.Context on the HttpApplication instance passed to the HttpModule returns a valid instance. – Hendrik W. Hansen Jun 22 '12 at 12:39
10

For the benefit of those who land here through a google/bing search:: Here's the summary of steps:

Step 1: Create a class that derives from IHttpModule (and IDisposable to clean up when we're done):

    public class MyCustomModule : IHttpModule, IDisposable
    {
         private HttpApplication _httpApplication
private static readonly List<string> HeadersToCloak = new List<string>
            {
                "Server",
                "X-AspNet-Version",
                "X-AspNetMvc-Version",
                "X-Powered-By"
            };
    ..
    }

Step 2: Get a reference to the intrinsic context in the IHttpModule.Init method, and assign an event handler to the PreSendRequestHeaders event:

public void Init(HttpApplication context)
        {
            _httpApplication = context;

            context.PreSendRequestHeaders += OnPreSendRequestHeaders;
        }

Step 3: Now the headers can be removed like so:

private void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
            if (null == _httpApplication)
            {
                return;
            }

            if (_httpApplication.Context != null)
            {
                var response = _httpApplication.Response;
                HeadersToCloak.ForEach(header => response.Headers.Remove(header));
            }
        }

Step 4: Now register this module in your root web.config under the system.webserver (if running IIS 7.0 integrated mode more details here):

<configuration>
  <system.webServer>
    <modules>
      <add name="MyCustomModule" type="<namespace>.MyCustomModule "/>
    </modules>
  </system.webServer>
</configuration>

Hope this helps!

Sudhanshu Mishra
  • 6,523
  • 2
  • 59
  • 76
  • This doesn't actually remove the `X-Powered-By` header. At least not in IIS 7. – Justin Helgerson Apr 24 '14 at 17:56
  • @Ek0nomik If you have access to the IIS console, check the HttpReponseHeaders (double click the icon) and remove the X-Powered-By header from there. I too have experienced that if a response header is added from IIS, it does not get removed by the HttpModule - it appears as the header from IIS is added later in the pipeline. – Sudhanshu Mishra Apr 25 '14 at 03:29
1

If you're using IIS7 / Azure then have a look at this:

Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan

It shows the best way to disable these headers without using HttpModules.

Community
  • 1
  • 1
Nick Evans
  • 3,279
  • 2
  • 25
  • 21
  • The question was about removing by a custom HttpModule, not about how to remove it. I also faced this issue too and still don't know how to get rid of it. Using UrlScan is more time consuming and it doesn't work on Windows Server 2012. – Tien Do Jun 17 '13 at 04:01
0

if you like to remove version go to web.config file and add these lines

<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<!--enableVersionHeader remove the header-->
<httpRuntime targetFramework="4.5.2" enableVersionHeader = "false"/>

also, add these 

<httpProtocol>
  <customHeaders>
    <!--enableVersionHeader remove the header-->
    <remove name ="X-Powered-By"/>
    </customHeaders>
</httpProtocol>