How to delete IIS custom headers like X-Powered-By: ASP.NET from response?

Question

In IIS 7.0 integrated mode after deleting all headers with Response.ClearHeaders() IIS would add some other headers like Server and X-Powered-By which reveals good information to hackers. How can I stop this behavior (consider I still need to add my custom headers) ?

possible duplicate of [Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan](http://stackoverflow.com/questions/12803972/removing-hiding-disabling-excessive-http-response-headers-in-azure-iis7-without) — CrazyPyro, Mar 16 '15 at 17:34
I know this one was asked first, but that other question is now more complete and up-to-date. — CrazyPyro, Mar 16 '15 at 17:35

eth0 · Answer 1 · 2013-08-14T15:15:48.317

90

You can add this to your Web.Config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

Update: if you're using the MVC framework I would also recommend removing the X-AspNetMvc-Version and X-AspNet-Version headers as well. This is accomplished by setting MvcHandler.DisableMvcResponseHeader = true in your Global.asax file and <system.web><httpRuntime enableVersionHeader="false" /></system.web> in your Web.config respectively.

edited Aug 14 '13 at 15:15

answered Dec 06 '11 at 09:15

eth0

4,977
3
34
48

12

In IIS 10.0 (and Azure Web Apps) you can also get rid of the `Server` header with ``. – Ohad Schneider Dec 04 '16 at 23:38
Facing similar issue.Added custom header to webconfig file.Locally application runs fine but throw 500 Internal Server error on deployment to IIS server 8.5(AWS) .https://stackoverflow.com/questions/52947861/webconfig-with-custom-response-header-in-web-config-error-after-deploying-to-iis – Asif Iqbal Oct 31 '18 at 09:45

score 14 · Answer 2 · answered Nov 02 '10 at 14:45

14

The X-Powered-By is configured within IIS. On Windows 7 it's specifically:

IIS Manager
COMPUTER NAME > Sites > Default Web Site
HTTP Respons Headers
Remove X-Powered-By

I'm not sure what generates the Server header though.

answered Nov 02 '10 at 14:45

Samuel Neff

73,278
17
138
182

1

Thanks. At least 50% progress. I prefer a general approach from inside asp.net if possible. – Xaqron Nov 02 '10 at 15:11
@Xaqron, you can probably get at the setting programmatically, but I don't know how offhand. Sorry. – Samuel Neff Nov 02 '10 at 15:12

score 5 · Answer 3 · answered Aug 08 '12 at 06:54

5

For IIS7+ integrated mode, eth0 has it: <customHeaders> tag in web.config. Thanks for that. As for the "Server" header, if using MVC, you can simply add:

    protected void Application_PreSendRequestHeaders()
    {
        Response.Headers.Remove("Server");
    }

to your MvcApplication class in Global.asax. Otherwise, you can simply add a custom Http Module, handling the PreSendRequestHeaders event, and do the same thing.

answered Aug 08 '12 at 06:54

666
8
17

2

PreSendRequestHeaders is not a part of the managed pipeline and can produce strange results like frozen asynchronous requests. http://www.asp.net/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet-and-what-to-do-instead#presend. – Dmitry S. Jun 10 '16 at 19:51

score 4 · Answer 4 · answered Jun 13 '19 at 19:06

Would like to add here that for the ASP.NET Core versions where there is no longer a web.config file a different approach is necessary.

I made the following adjustments to remove the headers in ASP.NET Core 2.1:

You can remove the x-powered-by header by replacing

<customHeaders>
        <clear />
        <add name="X-Powered-By" value="ASP.NET" />
</customHeaders>

with

<customHeaders>
        <remove name="X-Powered-By" />
</customHeaders>

in the applicationhost.config file found in the .vs\config folder of the project.

The server header can be removed by adding

.UseKestrel(c => c.AddServerHeader = false)

in the Program.cs file.

score 2 · Answer 5 · edited May 23 '17 at 12:32

2

The following answer includes a complete solution that does not require URLScan or a custom HttpModule, and removes all the related headers you mention. It also works on Azure.

Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan

edited May 23 '17 at 12:32

Community

1
1

answered Oct 09 '12 at 17:10

Nick Evans

3,279
2
25
21

score 1 · Answer 6 · answered Nov 20 '10 at 07:54

1

URLScan can be used to remove server header, or configure another server header, http://learn.iis.net/page.aspx/938/urlscan-3-reference/

But it never really prevents a hacker to know what you use in fact. There are obviously other ways to detect your server information.

answered Nov 20 '10 at 07:54

Lex Li

60,503
9
116
147

Thanks. There should be something built-in like config sections or at worst case registry manipulation rather than installing a component which it's main purpose is not to deleting SERVER headers. – Xaqron Nov 20 '10 at 14:18
I already said that not everyone thinks showing server header is bad. So why should it be built in if few people uses it? – Lex Li Nov 27 '10 at 02:55

Saurabh R S · Answer 7 · 2018-04-24T07:30:32.257

You can use appcmd.exe (IIS 7 and above) to do your job. The script will be like this:

C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webserver/httpProtocol /-customHeaders.["name='X-Powered-By'"] /commit:apphost

/commit:apphost: This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

I usually create a batch file of all these scripts which I run on the web server after the application is installed.

For ASP.NET MVC applications the approach is different and you can refer to other answers given here.

How to delete IIS custom headers like X-Powered-By: ASP.NET from response?

7 Answers7

Linked

Related