1

I'm building an ASP.NET MVC 5 app using Visual Studio 2015 Update 3. I need to hide these response headers that are sent back to the client:

  • Server
  • X-AspNet-Version
  • X-AspNetMvc-Version

Before marking my question as a duplicate, please consider the following:

  • I need to not only strip the headers from dynamic content but also from static ones; the solutions listed below don't seem to work on static. In other words, images, CSS, JS, etc., will still display the headers. Some solutions fail on this.
  • "Bad requests" will cause other solutions to break and display the headers.
  • If possible, not install anything on the server. The recommended tools include UrlRewrite and UrlScan [obsolete product]. If necessary, I can live with this path however. But which one?

I've considered the following solutions,

As you can see, the posts are many, the paths confusing for my requirements. If I have to install a tool, which one?

Alex
  • 34,699
  • 13
  • 75
  • 158
  • 1
    I just use NWebSec (https://www.nwebsec.com). Covers pretty much everything you could possibly need and relatively simple to implement. – Chris Pratt Sep 29 '17 at 00:55
  • Thanks, @ChrisPratt. Just went to the site and noticed that the response header on the images is still shown: `Server:Microsoft-IIS/8.5`. Those are static content, so you'd want to figure out how to prevent the server info coming across for those as well. – Alex Oct 02 '17 at 14:44
  • There's a specific section in the docs that discuss that. TL;DR the only mechanism for removing that header is via a method that Microsoft has discouraged the use of. You can separately configure IIS to not send that header, which is the more appropriate method. – Chris Pratt Oct 02 '17 at 14:58
  • Thanks, @ChrisPratt. Yeah, I need to determine where in IIS you change the setting to not send that header. – Alex Oct 02 '17 at 14:59
  • You have to use UrlScan. While it is no longer officially supported, it anecdotally still works in current versions of IIS. Otherwise, you can only really blank it out via UrlRewrite rule, not remove it entirely. However, it provides no security benefits to do so (the server can still be fingerprinted to determine the web server being utilized), and it would only save you a few bytes per request, which is pretty insignificant given the effort involved in removing it. – Chris Pratt Oct 02 '17 at 15:22
  • Thanks, @ChrisPratt. Been reading about the nwebsec stuff. For .NET 4, which libraries are you using? I use OWIN for authentication in my app. Do I need the OWIN + MVC libraries? – Alex Oct 02 '17 at 15:30
  • I've just used NWebsec, NWebsec.Mvc and NWebsec.SessionSecurity. The OWIN package really just provides a programmatic API to manage it (whereas Mvc uses the Web.config). However, that API didn't do everything you could via the Web.config, last time I checked, so I just did it all in the Web.config and called it a day, instead of having half the config in one place and half in another. – Chris Pratt Oct 02 '17 at 15:34
  • Thanks again, @ChrisPratt. Do you mind throwing your thoughts into an answer and I'll give you some credit? – Alex Oct 02 '17 at 15:35
  • 2
    @Alex, what version of IIS are you using? in IIS 10, you can set removeServerHeader under Configuration Editor security/requestFiltering – Darrow7456 Apr 19 '18 at 17:18
  • @paul using 10 on Server 2016. Yeah, you're right. Thanks. – Alex Apr 19 '18 at 19:32

0 Answers0