1

I have an asp.net mvc project on a https url.

I have removed X-Power-By header from IIS.

I have these lines in my web.config:

<customHeaders>
    <remove name="X-AspNet-Version" />
    <remove name="X-AspNetMvc-Version" />
    <remove name="X-Powered-By" />
    </customHeaders>
</httpProtocol>

I have written the following class:

public class RemoveServerHeaderModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    }

    public void Dispose() { }

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        HttpContext.Current.Response.Headers.Remove("X-Powered-By");
        HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
        HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
        HttpContext.Current.Response.Headers.Remove("Server");
    }
}

and I have added this line in my web.config for the above class:

<modules>
    <add name="RemoveServerHeaderModule" type="IZBSC.UI.Components.RemoveServerHeaderModule" />
</modules>

Even I have added the following lines to my Global.asax file:

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
    HttpContext.Current.Response.Headers.Remove("X-Powered-By");
    HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
    HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
    HttpContext.Current.Response.Headers.Remove("Server");
}

And I have added the following code line to my Application_Start() method in the Global.asax:

MvcHandler.DisableMvcResponseHeader = true;

Now the server headers are removed from my pages...

But yet...

The Server header and X-Power-By header is shown for some css and jquery and picture files.

Really what should I do to remove Server and X-Power-By header from all my requests including page,style,script and image files?

Hamid Reza
  • 2,913
  • 9
  • 49
  • 76

2 Answers2

3

If you wish to remove the Server Response Headers from the Entire IIS Server (Which is better on security prespective) you can configure it from the registery:

https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

Remove this headers:

  • Server - Specifies web server version.
  • X-Powered-By - Indicates that the website is "powered by ASP.NET."
  • X-AspNet-Version - Specifies the version of ASP.NET used.
Stefan
  • 17,448
  • 11
  • 60
  • 79
Ori a
  • 314
  • 1
  • 8
1

The suggested answer from "Ori a" is the one which I used and still using often and it works well with managed code. But, JS files are static content which by default are served directly and not through managed code. Managed code modules only work for code passing through the ASP.NET pipeline. So you should force all requests to go through your managed code by adding this to your webconfig in the system.webServer section:

<modules runAllManagedModulesForAllRequests="true">

Like this:

<system.webServer>     
  <modules runAllManagedModulesForAllRequests="true">     
   </modules>     
</system.webServer>

With this statement you are forcing even the static content to adhere to your header rules. Hope it helps!

alaa_sayegh
  • 2,141
  • 4
  • 21
  • 37
  • Thanks but yet server headers are remaining on js and images files. – Hamid Reza Oct 25 '17 at 07:22
  • can you show me a sample? do you have any link? or paste a screenshot – alaa_sayegh Oct 25 '17 at 07:23
  • which js? i don't see any header server values when i select a js file. I use google chrome, under Network tab. Maybe you need to clear your cache after you did the fix for the runAllManagedModulesForAllRequests – alaa_sayegh Oct 25 '17 at 07:30
  • You should really avoid using `runAllManagedModulesForAllRequests` unless absolutely necessary. – dana Jul 17 '18 at 21:47