3

I need to remove the following headers from my ASP.NET MVC 3 web app.

Server
X-AspNet-Version
X-AspNetMvc-Version
X-AspNetWebPages-Version
X-Powered-By

I found two options that work. Option 1 is cleaner and actually removes the server header, but I'm trying to find out if there are any side effects I should be worried about. Is either option better than the other? What are the pros/cons of each method?

Option 1

Global.asax.cs >> Application_Start()

PreSendRequestHeaders += Application_PreSendRequestHeaders;

Global.asax.cs

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
    HttpContext.Current.Response.Headers.Remove("Server");
    HttpContext.Current.Response.Headers.Remove("X-AspNetWebPages-Version");
    HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
    HttpContext.Current.Response.Headers.Remove("X-Powered-By");
    HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}

Option 2

Web.config >> inside <system.web> node (removes X-AspNet-Version)

<httpRuntime enableVersionHeader="false" />

Web.config >> inside <system.webServer> node (removes X-Powered-By)

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

Web.config >> inside <system.webServer> node (changes value of Server, URLRewrite required)

<rewrite>
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_Server" pattern=".+" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>

Global.asax.cs >> Application_Start() (removes X-AspNetMvc-Version and X-AspNetWebPages-Version)

MvcHandler.DisableMvcResponseHeader = true;
WebPageHttpHandler.DisableWebPagesResponseHeader = true;
Community
  • 1
  • 1
WoodmanBlockerville
  • 133
  • 3
  • 11
  • 4
    If IIS version is 10 I found a better way to remove the server header. In web.config, in the node add a node. Within this node add . This will completely remove the header instead of rewriting the value. Note that VS17 will incorrectly throw a warning on removeServerHeader. – WoodmanBlockerville Aug 05 '19 at 19:06
  • One more note. RemoveServerHeader did not work for me in IIS 10 on Windows Server 2016 build 1607. It does work in Windows Server 2019 build 1809. – WoodmanBlockerville Aug 14 '19 at 19:22
  • Possible duplicate of https://stackoverflow.com/a/55520636/386579 – shasi kanth Apr 06 '22 at 13:40
  • Be careful on #1, https://techcommunity.microsoft.com/t5/iis-support-blog/w3wp-exe-crashes-with-c0000005-when-http-headers-are-modified/ba-p/311193 – Mike Flynn Jun 10 '22 at 01:28

2 Answers2

1

In my opinion, the second version is good.

According to your description and codes, I have created a test demo, after published the project to IIS10, I found the response header doesn't remove.You could found the x-Powered-by is still there.

enter image description here

Besides, according to the HttpApplication.PreSendRequestHeaders Event API, you could find below remarks:

Do not use PreSendRequestHeaders with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The combination of Application Requested Routing (ARR) and websockets might lead to access violation exceptions that can cause w3wp to crash. For example, iiscore!W3_CONTEXT_BASE::GetIsLastNotification+68 in iiscore.dll has caused an access violation exception (0xC0000005).

Brando Zhang
  • 22,586
  • 6
  • 37
  • 65
0

for X-AspNetWebPages-Version now add attribute enableVersionHeader="false", see below, to web.config > httpRuntime

<httpRuntime targetFramework="4.7.2" maxRequestLength="1048576" enableVersionHeader="false" />

Beau
  • 71
  • 2
  • 5