How to remove "Server" from response headers

Question

I have an asp .net core web api which acts as a proxy to some other asp .net core web api services.

Everything works great, except I can't get this header to stop appearing in responses:

server: Microsoft-IIS/10.0

I added this to web.config in both proxy and service projects

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
      <remove name="Server" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

And it seems to work for X-Powered-By, but not Server

I also tried adding

  <security>
    <requestFiltering removeServerHeader="true" />
  </security>

Now the header reads

server: Kestrel

Does anyone know why that would be, and how I can get this to work?

score 2 · Answer 1 · answered Mar 26 '21 at 01:21

2

This one works on IIS 10.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering removeServerHeader="true" />
        </security>
    </system.webServer>
</configuration>

answered Mar 26 '21 at 01:21

Muhammad Kamran Aslam

558
4
9

score 1 · Answer 2 · answered Mar 26 '21 at 05:50

As far as I know, if you want to remove the server header Kestrel, I suggest you could try below ways.

You could try to modify the UseKestrel setting in Program.CS:

   public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
                webBuilder.UseKestrel(option => option.AddServerHeader = false);
                
            });

Result:

How to remove "Server" from response headers

2 Answers2