How to remove x-powered-by header in .net core 2.0

Question

I tried to use this middleware:

public class SecurityHeadersMiddleware
{
    private readonly RequestDelegate next;

    public SecurityHeadersMiddleware(RequestDelegate next)
    {
        this.next = next;
    }

    public async Task Invoke(HttpContext context)
    {
        context.Response.OnStarting(state =>
        {
            var ctx = (HttpContext)state;

            if (!ctx.Response.Headers.ContainsKey("Arr-Disable-Session-Affinity"))
            {
                ctx.Response.Headers.Add("Arr-Disable-Session-Affinity", "True"); // Disables the Azure ARRAffinity cookie
            }

            if (ctx.Response.Headers.ContainsKey("Server"))
            {
                ctx.Response.Headers.Remove("Server"); // For security reasons
            }

            if (ctx.Response.Headers.ContainsKey("x-powered-by") || ctx.Response.Headers.ContainsKey("X-Powered-By"))
            {
                ctx.Response.Headers.Remove("x-powered-by");
                ctx.Response.Headers.Remove("X-Powered-By");
            }

            if (!ctx.Response.Headers.ContainsKey("X-Frame-Options"))
            {
                ctx.Response.Headers.Add("X-Frame-Options", "DENY");
            }

            return Task.FromResult(0);
        }, context);

        await next(context);
    }
}

x-powered-by is still there in response header which says asp.net

score 48 · Answer 1 · answered Aug 28 '17 at 02:31

As far as I know, the removal of these headers is facilitated with the Request Filtering module, which is part of IIS.

To remove a header, you need to have a web.config file stored on your site, with the following content:

<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <!-- To customize the asp.net core module uncomment and edit the following section. 
  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->

  <system.webServer>
    <handlers>
      <remove name="aspNetCore"/>
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>


</configuration>

Add this web.config to your net core application's root folder.

Then it will remove the x-powered-by header.

The result like this:

Yes, this seems to be the only way to do this since the header is generated by IIS. There's some further information including comments by the .Net Core Hosting team here: https://github.com/aspnet/Hosting/issues/571 — TallMcPaul, Feb 22 '18 at 15:47
@flipdoubt check this SO answers: https://stackoverflow.com/questions/52452194/remove-server-header-from-asp-net-core-2-1-application — Codingwiz, May 09 '23 at 19:21

Ahmed Al Jabry · Accepted Answer · 2020-06-30T09:09:52.690

31

In addition to @Brando Zhang answer, To remove "Server:Kestrel" from response header:

-.NET Core 1

 var host = new WebHostBuilder()
        .UseKestrel(c => c.AddServerHeader = false)
        .UseContentRoot(Directory.GetCurrentDirectory())
        .UseIISIntegration()
        .UseStartup<Startup>()
        .Build();

-NET Core 2

WebHost.CreateDefaultBuilder(args)
               .UseKestrel(c => c.AddServerHeader = false)
               .UseStartup<Startup>()
               .Build();

edited Jun 30 '20 at 09:09

answered Jan 08 '18 at 07:12

Ahmed Al Jabry

1,367
13
9

4

This goes in the project's Program.cs file, you should see an existing entry but without the .UseKestrel() call – Bern Jun 28 '18 at 16:47
23

this don´t remove the x-powered-by header! – Sergio Rezende Aug 19 '18 at 22:14
@BerBar It does if you're not running the application in IIS... E.G. run it as a console app – Chris Klepeis Sep 05 '18 at 13:41
2

Remove the x-powered-by using IIS manager, http headers. Just delete them out of the list. – jjxtra Sep 19 '18 at 05:18
7

".UseKestrel(c => c.AddServerHeader = false)" only removes the "Server" header. It has no impact on X-Powered-By – Clay Lenhart Jul 13 '19 at 22:55
I have head to remove the header in IIS on the server as this configures that as well – Walter Verhoeven Nov 30 '20 at 09:35

score 8 · Answer 3 · edited Jun 20 '20 at 09:12

8

If you don't want to create a web.config file in a ASP.NET Core solution, you can remove the X-Powered-By header in IIS Manager.

Click on <ServerName> --> HTTP Response Headers --> X-Powered-By and choose the Remove action.

This will remove the header for all websites on that server. Which is fine because why would you want to share that info in the first place?

edited Jun 20 '20 at 09:12

Community

1
1

answered Jan 08 '20 at 09:50

MonkeyDreamzzz

3,978
1
39
36

score 2 · Answer 4 · answered Oct 19 '19 at 16:11

As an alternative option to the answers above you can use a configuration transformation. That way the web.config will still be generated via the dotnet publisher sdk but can be mixed with specific tags such as the header removal.

In the root of the project create a new web.Release.config file as such:

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <location>

    <!-- To customize the asp.net core module uncomment and edit the following section. 
    For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
    <system.webServer>
      <httpProtocol xdt:Transform="InsertIfMissing">
        <customHeaders>
          <remove name="X-Powered-By" />
        </customHeaders>
      </httpProtocol>
    </system.webServer>

  </location>
</configuration>

Note that this is a transformation file, not the actual web.config file.

How to remove x-powered-by header in .net core 2.0

4 Answers4

Linked