40

Is it possible to remove the Server Response header in a ASP.NET Core 2.1 application (running on Server 2016 with IIS 10)?

I tried putting the following in the web.config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="sameorigin" />
            <add name="X-XSS-Protection" value="1; mode=block" />
            <add name="X-Content-Type-Options" value="nosniff" />
            <remove name="X-Powered-By" />
            <remove name="Server" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

The first four alterations to the Response worked fine, but the Server header was not removed. I still see "Kestrel"

ThomasArdal
  • 4,999
  • 4
  • 33
  • 73
eat-sleep-code
  • 4,753
  • 13
  • 52
  • 98

7 Answers7

84

This solution works on IIS 10+ version and allows to remove x-powered-by and server headers in server response.

In IIS 10 a new attribute was added: removeServerHeader.

We need to create web.config file in asp.net core application with following content:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Then publish app and restart site on IIS.

vladimir
  • 13,428
  • 2
  • 44
  • 70
Sam Alekseev
  • 2,281
  • 2
  • 19
  • 28
  • good catch. I spent several hourse trying to remove IIS's Server header. I'll try your solution too. – Enrico Massone Apr 04 '19 at 16:43
  • Visual Studio complains that the `removeServerHeader` attribute is not allowed. – hvaughan3 Jun 15 '19 at 02:01
  • 5
    @hvaughan3 I noticed that too - Visual Studio does say "the 'removeServerHeader' attribute is not allowed", emphasized by highlighting it with the wobbly green line, but it does work as suggested. Thanks @user3172616! – Brett Rigby Jul 31 '19 at 13:22
  • Can I write something in my code to automatically generate this in web.config on publish time? – WarrenG Dec 06 '19 at 10:26
  • This is works for me, my api hosted to IIS 10 and it removed the "Server" header. – Gautam Sharma Jun 09 '21 at 10:47
  • Is there a way to make an earlier version of IIS ignore this attribute? This `removeServerHeader` attribute makes web apps unable to start in IIS 8 :( – nvirth Nov 24 '21 at 16:26
  • since .net core is not using web.config anymore. are there other alternative to remove server header in iis? – aj go Sep 22 '22 at 12:15
  • @ajgo .net core does not include it in the solution files, but when you publish the project it will be included in the published directory. Furthermore it is present in the IIS server directory and can be modified directly or using IIS GUI. – Hamid Siaban Sep 28 '22 at 12:48
  • 1
    @HamidSiaban - Thank you for the reply.I just cleared this problem in my side. I fixed it with the help of the web.config file that I manually added in my project. Since our app is running in IIS, I can remove the server header using it – aj go Sep 29 '22 at 01:19
  • Works good in Netcore 3.1 – Venugopal M Jan 06 '23 at 11:32
  • The solution worked perfectly for web pages.. I still see headers coming up on static files which were served. any suggestions for getting rid of it there? – Mandy Apr 12 '23 at 02:20
61

The Kestrel Server header gets added too late in the request pipeline. Therefore removing it via the web.config or via middleware is not possible.

You can remove the Server header by setting the AddServerHeader property to false on KestrelServerOptions, this can be done in the Program.cs.

    public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
        WebHost.CreateDefaultBuilder(args)
            .UseKestrel(options => options.AddServerHeader = false)
            .UseStartup<Startup>();
Tabish Usman
  • 3,110
  • 2
  • 17
  • 15
user1336
  • 6,435
  • 2
  • 27
  • 34
  • 9
    This does not removes the header. kestrel gives response to IIS and iis adds this header. To remove this header you have to configure web.config file – Sumit Joshi May 11 '19 at 17:16
  • You have to do all things to remove this header. This setting stops it being set, but kestrel is not the only place which wants hackers to know what tech your server is running. Cover the web config as well (as per the next answer) and you're golden. – speciesUnknown Mar 12 '21 at 15:52
  • This works if you don't use IIS. – user692942 May 30 '23 at 14:03
18

In NET6, it becomes

var builder = WebApplication.CreateBuilder(args);
builder.WebHost.UseKestrel(option => option.AddServerHeader = false);
ricky888
  • 696
  • 6
  • 7
8

For the ones that are trying to do the same thing (removing the Server response header added by Kestrel web server) but using instead ASP.NET core 2.2, they should use the extension method ConfigureKestrel (https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.hosting.webhostbuilderkestrelextensions.configurekestrel?view=aspnetcore-2.2#Microsoft_AspNetCore_Hosting_WebHostBuilderKestrelExtensions_ConfigureKestrel_Microsoft_AspNetCore_Hosting_IWebHostBuilder_System_Action_Microsoft_AspNetCore_Server_Kestrel_Core_KestrelServerOptions__) instead of the extension method UseKestrel.

vladimir
  • 13,428
  • 2
  • 44
  • 70
Enrico Massone
  • 6,464
  • 1
  • 28
  • 56
  • 1
    Hmm, `ConfigureKestrel(x => x.AddServerHeader = false)` has no effect for me. Header is still in place – Sam Alekseev Apr 04 '19 at 15:38
  • @user3172616 are you running the app from Visual Studio or from a test environment having its own server ? – Enrico Massone Apr 04 '19 at 16:29
  • App is running on remote production server IIS10 (not Kestrel). Anyway i found another solution and posted in this thread. – Sam Alekseev Apr 04 '19 at 16:37
  • @user3172616 Notice that the configuration for Kestrel affects ONLY the HTTP response headers set by kestrel itself. Usually, when you run an ASP.NET core application you use a reverse proxy server sitting in front of your application. This means that the reverse proxy has a chance to add ITS own response headers. For instance, if you use IIS (even IIS express) you will find the Server header added by IIS – Enrico Massone Apr 04 '19 at 16:38
  • @user3172616 In the case I mentioned above you have to configure the reverse proxy server put in front of the asp.net core application in order to strip its own Server header. The extension method `ConfigureKestrel(x => x.AddServerHeader = false)` only affects Kestrel's headers – Enrico Massone Apr 04 '19 at 16:40
  • I misunderstood your post answer, sorry. Indeed, that headers are set on IIS level, so i used web.config file to configure this behavior. – Sam Alekseev Apr 04 '19 at 16:42
7

For Dotnet Core 3.1 UseKestrel is part of ConfigureWebHostDefaults as opposed to CreateDefaultBuilder in earlier versions.

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup<Startup>()
                      .UseKestrel(options => options.AddServerHeader = false);
        });
nilobarp
  • 3,806
  • 2
  • 29
  • 37
  • 16
    This works. It may be worth mentioning that, if you use this fix, you can't run the application using IISExpress in Visual Studio. You'll get this error: `System.InvalidOperationException: 'Application is running inside IIS process but is not configured to use IIS server.'` – Tom Chantler Jul 23 '20 at 09:40
  • 6
    Same happened to me. `UseKestrel` will failed to run your application in IIS server – Bernard Nongpoh Aug 05 '20 at 08:51
  • Is there any way we could remove the "Content-Length" header that is added by Kestrel ? – user804401 Nov 16 '21 at 10:07
5

These directions apply to IIS 10.0 only.

  1. Open the web.config file located in the root directory for the website.

  2. Configure requestFiltering in the web.config system.webServer node:

    
<security>
    <requestFiltering removeServerHeader ="true" />
</security>

  3. Save the file and restart your IIS app.

Vladyslav Fomin
  • 121
  • 1
  • 6
0

The answer from @SamAlekseev is really good for removing Server and X-Powered-By header. The only thing missing is removing X-AspNet-Version as well. This works for Azure App Services as well as IIS.

Complete web.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <!-- To customize the asp.net core module uncomment and edit the following section. 
  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
  <!--
  <system.webServer>
    <handlers>
      <remove name="aspNetCore"/>
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
  </system.webServer>
  -->
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
  <system.web>
    <httpRuntime enableVersionHeader="false"/>
  </system.web>
</configuration>

Source:

https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/

Ogglas
  • 62,132
  • 37
  • 328
  • 418