5

We are using a self hosted WebApi and we are required to remove the server header (Server: Microsoft-HTTPAPI/2.0) of the responses sent.

Since it is self hosted, a HttpModule is not an option. Implementing a DelegatingHandler, access to headers as well as adding is possible. The asp.net website nicely details how one can do that.

But the server header seems to be added much later in the pipeline since it is not set in the HttpResponseMessage we return from the DelegatingHandler. However, we are able to add values.

async protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
    HttpResponseMessage response = await base.SendAsync(request, cancellationToken);
    response.Headers.Server.Add(new ProductInfoHeaderValue("TestProduct", "1.0"));
    response.Headers.Add("Server", "TestServerHeader");

    return response;
}

Both Server.Add and .Add work as expected. response.Headers.Remove("Server"); however does not work, because the server header is not set, response.Headers.Server is empty.

Is there anything i am missing?

MaP
  • 51
  • 1
  • 2
  • Just an idea, I haven't tried this myself. Message handlers, like `DelegatingHandler`-derived classes are executed very early in the Web API pipeline. It's worth trying to add your code in an `ActionFilter`-derived class, as action filters are executed much later in the pipeline, just before the controller actions. By then, perhaps the header you want will exist. – djikay Jun 30 '14 at 11:08
  • Thank you for @djikay for pointing this out, i did not know about `ActionFilterAttribute`. Unfortunately it seems it is still too early since the server header is not set when the Attribute executes. – MaP Jun 30 '14 at 13:21
  • Ah, I know why. This header is added by the hosting layer, which is the first layer hit when a request comes in and the *last* layer hit when a response goes out. Those headers ("Server" is just one of them) can be tough to remove. Check out [this SO question](http://stackoverflow.com/questions/11155176/removing-headers-from-the-response) and [this article](http://consultingblogs.emc.com/howardvanrooijen/archive/2009/08/25/cloaking-your-asp-net-mvc-web-application-on-iis-7.aspx). The latter is rather dated and talks about IIS hosting (not self-hosting), but it may give you some ideas. – djikay Jun 30 '14 at 13:50
  • This [forums.asp.net Q&A](http://forums.asp.net/t/1803242.aspx?Is+it+possible+to+programmatically+remove+the+custom+ASP+NET+headers+) also gives a short programmatic way to do this. I must emphasise that I haven't tried any of this myself so I can't tell you it will definitely work, I'm just hoping this will give you ideas. – djikay Jun 30 '14 at 13:55
  • @djikay thank you for the effort, but unfortunately all discussions you linked are only applicable if webapi is hosted via IIS7. – MaP Jul 01 '14 at 06:06

2 Answers2

4

add

appBuilder.Use((context, next) =>
        {
            context.Response.Headers.Remove("Server");
            context.Response.Headers.Add("Server", new[] { "" });
            return next.Invoke();
        });

to Startup Configuration method just before

config.EnsureInitialized();
Piotr
  • 76
  • 3
4

There is no code solution to remove Server HTTP header on self host. The only solution is to edit windows registry: https://learn.microsoft.com/ru-ru/archive/blogs/dsnotes/wswcf-remove-server-header

Yuriy Kovalenko
  • 41
  • 3