4

I'm using Asp.Net Core 2.2.1. I'm trying to remove the server Header from the response. I tried adding options.AddServerHeader = false; inside ConfigureKestrel(), but still unsuccessful. Please assist me on where I'm going wrong.

Here is my code:

Program.cs

    public class Program
    {
        public static void Main(string[] args)
        {
            CreateWebHostBuilder(args).Build().Run();
        }

        public static IWebHostBuilder CreateWebHostBuilder(string[] args)
        {
            return WebHost.CreateDefaultBuilder(args)
                .UseStartup<Startup>()
                .ConfigureKestrel((context,options) => {
                    // Set properties and call methods on options
                    options.AddServerHeader = false;
                });
        }
    }

Web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <!-- To customize the asp.net core module uncomment and edit the following section. 
  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <handlers>
      <remove name="aspNetCore" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="InProcess">
      <environmentVariables>
        <environmentVariable name="ASPNETCORE_HTTPS_PORT" value="44342" />
        <environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Development" />
      </environmentVariables>
    </aspNetCore>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Response Image

enter image description here

Thanks,

Abdul

fingers10
  • 6,675
  • 10
  • 49
  • 87
  • I think for this one it's a case of changing your IIS config, rather than your code. – TZHX May 12 '19 at 18:31
  • see this answer on another question: https://stackoverflow.com/a/53222946/519348 – TZHX May 12 '19 at 18:32
  • @TZHX the answer mentioned above doesn't work. I can still see the server header in the response. Any other help? – fingers10 May 12 '19 at 19:00

2 Answers2

11

Calling ConfigureKestrel with options.AddServerHeader = false; will only remove the server header if your application is running on Kestrel. When you are hosting your application on IIS/IISExpress, you need to add the web.config with the following settings:

<configuration> 
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

This line <requestFiltering removeServerHeader="true" /> will do the trick. In addition, you can also remove the custom headers, such as X-Powered-By, if you like by adding the customHeaders section under httpProtocol

Please make sure you have Request Filtering enabled

enter image description here

I hope this helps.

Shahzad Hassan
  • 993
  • 7
  • 14
  • This doesn't work. I'm still getting the Server Header – fingers10 May 13 '19 at 14:03
  • Please make sure you have Request Filtering enabled under World Wide Web Services --> Security as shown in the screenshot – Shahzad Hassan May 13 '19 at 14:23
  • This settings in iis needs to be configured for testing in local development? – fingers10 May 13 '19 at 14:40
  • Yes on local IIS. However, you would need to do that on the server as well, when you deploy your application. – Shahzad Hassan May 13 '19 at 14:58
  • what about running via IIS Express? – fingers10 May 14 '19 at 02:38
  • You don't need to install anything for IISExpress as it's a standalone version of IIS with most of the features enabled. In order to set those rules globally, you can modify the applicationhost.config file that resides in the .vs hidden folder under your project directory in the config folder. When your project has web.config it reads those settings from there and overrides the global settings. applicationhost.config file is created automatically when you launch your application inside the Visual Studio. – Shahzad Hassan May 14 '19 at 03:10
  • But still running via IIS Express shows `Server Header: Microsoft-IIS/10.0` – fingers10 May 14 '19 at 14:22
  • Do you have the web.config at the root of the project? Or did you modify the applicationhost.config? I tested it before posting and it works fine, so there must be something different at your end. Is it possible for you to upload the sample code to GitHub or something? – Shahzad Hassan May 14 '19 at 14:25
  • Here is the github repo with the solution. Please check and assist. [Repo Link](https://github.com/fingers10/ResponseHeaderTest) – fingers10 May 15 '19 at 17:54
  • 1
    @Abdul The problem is inside your web.config. It doesn't have the ` `. Have a look at the screenshots [WithServerHeader](https://github.com/softmatters/ResponseHeaderTest/blob/master/WithServerHeader.png) and [NoServerHeader](https://github.com/softmatters/ResponseHeaderTest/blob/master/NoServerHeader.png). Also, the updated [Web.config](https://github.com/softmatters/ResponseHeaderTest/blob/master/Test/Galla/web.config). You will see no **server** header once the security section is added. I hope that helps. – Shahzad Hassan May 16 '19 at 01:04
  • I had ` ` in my actual project and since that doesn't work I removed that. After that I made a copy for test repo with that removed code. Anyways I'll again check from my end and update the answer. – fingers10 May 16 '19 at 04:33
  • How are you launching the application in IISExpress? – Shahzad Hassan May 16 '19 at 05:43
  • I added and tried again but still not working. I'm running the solution by pressing F5 key. I have added the working GIF here [WorkingDemo](https://github.com/fingers10/ResponseHeaderTest/blob/master/ResponseHeaderDemo.gif) Please check. I'm still not sure where I'm going wrong – fingers10 May 16 '19 at 14:32
  • How bizarre, please try deleting the applicationhost.config that should be in `ResponseHeaderTest\Test\.vs\config` folder. You may need to show the hidden folders to see the .vs folder. The file will be created again when you launch the IISExpress. – Shahzad Hassan May 16 '19 at 15:05
  • Tried that but still not getting removed. Anything else I need to configure? – fingers10 May 16 '19 at 18:43
  • Is your request going through a proxy? I literally took your code, compiled it and launch in IISExpress. There was a server header present. So I changed the we.config and launched it again and **server** header is gone. Something is not right at your end. Can you please try creating a brand new Asp.Net Core Web Application in a different folder and add a web.config and modify it. Then launch it and see if you get the header or not. – Shahzad Hassan May 17 '19 at 02:41
  • No proxies. I'll try and get back. By the way, all under security folder needs to be checked in world wide web services? I just checked request filtering under security folder in IIS – fingers10 May 17 '19 at 11:33
  • 1
    I don't think all need to be checked if you are not using those features e.g. Basic Authentication etc. Only what you need. Also, try publishing it to IIS and see if the published code works under full IIS, as ultimately you have to host there :) – Shahzad Hassan May 17 '19 at 13:42
  • I published to IIS and verified. The Server header is removed and it's no longer there. :) Thanks @Shahzad Hassan – fingers10 May 19 '19 at 17:45
  • Great, I am glad I was able to help. Good to know that it's finally working. Not sure why it's not working on IISExpress for you, but nothing to worry about. If it still bothers you, try on another machine and see if it behaves the same :) – Shahzad Hassan May 20 '19 at 02:16
  • Ok, but how do you do this in an `appsettings.json`? – JHBonarius Jan 12 '21 at 17:27
2

We can do this with URLRewrite. Please note this will not remove the header all together but it will remove the value of it.

enter image description here

Following are the steps:

Step 1. Install URLRewrite. To install the URLRewrite please go to the following link

http://www.iis.net/downloads/microsoft/url-rewrite

Step 2. Open the site on which you would like to remove the Server header and click on the URLRewrite section.

enter image description here

Step 3. Click on the “View Server Variables” in the Actions pane in the right hand side. enter image description here

Step 4. Click on the Add button and then enter “RESPONSE_SERVER” in the textbox provided. 6562.image_21870933.png

Step 5. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link

http://www.iis.net/learn/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-modul...

Step 6. Create an Outbound rule as the following. 5756.image_036485DD.png

Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third party applications, may require the Server header, so you may need to remove this rule for those applications.

Mallikarjuna Golla
  • 49
  • 1
  • 6