How to remove IIS/ASP.NET Response Headers
Solution 1
Your security department wants you to do this to make the server type harder to identify. This may lessen the barrage of automated hacking tools and make it more difficult for people to break into the server.
Within IIS, open the web site properties, then go to the HTTP Headers tab. Most of the X- headers can be found and removed here. This can be done for individual sites, or for the entire server (modify the properties for the Web Sites object in the tree).
For the Server header, on IIS6 you can use Microsoft's URLScan tool to remote that. Port 80 Software also makes a product called ServerMask that will take care of that, and a lot more, for you.
For IIS7 (and higher), you can use the URL Rewrite Module to rewrite the server header or blank it's value. In web.config (at a site or the server as a whole), add this content after the URL Rewrite Module has been installed:
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
You can put a custom value into the rewrite action if you'd like. This sample sourced from this article which also has other great information.
For the MVC header, in Global.asax:
MvcHandler.DisableMvcResponseHeader = true;
Edited 11-12-2019 to update the IIS7 info since the TechNet blog link was no longer valid.
Solution 2
To remove all custom headers that disclose too much information - the methods are varied (unfortunately) for IIS 7:
Header Name: X-Powered-By
Add:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
in the <system.webServer> section.
Header Name: Server
Implement an httpModule that strips this header out by calling Response.Headers.Remove("Server") from the PreSendRequestHeaders event. Another resource for this: Cloaking your ASP.NET MVC Web Application on IIS 7
Header Name: X-AspNet-Version
In the httpRuntime section of the web.config - set:
<httpRuntime enableVersionHeader="false" />
Header Name: X-AspNetMvc-Version
From the Application_Start event in global.asax - execute the following code (C#):
MvcHandler.DisableMvcResponseHeader = true;
Solution 3
Putting this in an ASP.NET application's web.config file will get rid of the X-AspNet-Version header:
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
Note that the system.web tag should already exist in the file. Don't create a duplicate, just add the httpRuntime tag. The httpRuntime tag might also already exist. If so, just add the attribute or set its value if it's already there.
Solution 4
Having just been through the "hardening" cycle on my current project - I blogged about the approach we took, which includes a HTTPModule for removing the following headers:
Server,
X-AspNet-Version,
X-AspNetMvc-Version,
X-Powered-By
Pertinent pieces reproduced below:
But there is no easy way to remove the Server response header via configuration. Luckily IIS7 has a managed pluggable module infrastructure which allows you to easily extend its functionality. Below is the source for a HttpModule for removing a specified list of HTTP Response Headers:
namespace Zen.Core.Web.CloakIIS
{
#region Using Directives
using System;
using System.Collections.Generic;
using System.Web;
#endregion
/// <summary>
/// Custom HTTP Module for Cloaking IIS7 Server Settings to allow anonymity
/// </summary>
public class CloakHttpHeaderModule : IHttpModule
{
/// <summary>
/// List of Headers to remove
/// </summary>
private List<string> headersToCloak;
/// <summary>
/// Initializes a new instance of the <see cref="CloakHttpHeaderModule"/> class.
/// </summary>
public CloakHttpHeaderModule()
{
this.headersToCloak = new List<string>
{
"Server",
"X-AspNet-Version",
"X-AspNetMvc-Version",
"X-Powered-By",
};
}
/// <summary>
/// Dispose the Custom HttpModule.
/// </summary>
public void Dispose()
{
}
/// <summary>
/// Handles the current request.
/// </summary>
/// <param name="context">
/// The HttpApplication context.
/// </param>
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += this.OnPreSendRequestHeaders;
}
/// <summary>
/// Remove all headers from the HTTP Response.
/// </summary>
/// <param name="sender">
/// The object raising the event
/// </param>
/// <param name="e">
/// The event data.
/// </param>
private void OnPreSendRequestHeaders(object sender, EventArgs e)
{
this.headersToCloak.ForEach(h => HttpContext.Current.Response.Headers.Remove(h));
}
}
}
Ensure that you sign the assembly, then you can install it into the GAC of your web servers and simply make the following modification to your application’s web.config (or if you want it to be globally applied, to the machine.config):
<configuration>
<system.webServer>
<modules>
<add name="CloakHttpHeaderModule"
type="Zen.Core.Web.CloakIIS.CloakHttpHeaderModule, Zen.Core.Web.CloakIIS,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=<YOUR TOKEN HERE>" />
</modules>
</system.webServer>
</configuration>
Solution 5
I use following code and works for me iis 7.5
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
Related videos on Youtube
07 : 45
06 : 45
02 : 11
14 : 42
04 : 50
Comments
-
Paully over 1 year
I have a couple IIS/6.0 servers that security is asking me to remove a couple of response headers that are sent to client browsers on requests. They are concerned about divulging platform information through response headers. I have removed all the HTTP-HEADERS out of the IIS configuration for the website (X-Powered-By or some such header).
(I personally do know that this information can be easily found out, even if it is hidden, but it isn't my call.)
Headers I want to remove:
- Server - Microsoft-IIS/6.0
- X-AspNet-Version - 2.0.50727
I also know that ASP.NET MVC also emits its own header too, if you know how to remove it also, that would be helpful.
- X-AspNetMvc-Version - 1.0
-
Paully almost 15 yearsAccepted answer, wish I could share the answer with @squillman. Web.config to fix X-AspNet-Version: <system.web> <httpRuntime enableVersionHeader="false" /> </system.web>
-
Renkai over 14 yearsThe X header removal puts this in my web.config, so save yourself some time: <system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer>
-
realMarkusSchmidt over 13 yearsSuppress the generation of the headers by configuration seems to make much more sense than having the headers generated and then remove it.
-
UpTheCreek over 13 yearsHowever this leaves the 'powered by' header.
-
AFract over 8 yearsI'd just want to precise something : most of these tricks will only work with IIS >=7 in Integrated Pipeline mode. In Classic Mode it will at best do nothing (<remove> lines in web.config) or throw an exception (direct calls to Response.Headers in global.asax, which is another solution to remove headers). I'm working on a website stuck to Classic Mode and unfortunately I have not been able to remove these headers. -
Mark Sowul over 8 yearsWhat about your images and content that doesn't go through the code pipeline? -
Danny Schoemann over 8 yearsSeems like that link is now dead. :-( -
neda Derakhshesh almost 6 yearsbut when I put this line code in thesystem.webmy website goes down. do you know why? -
Nasir Mahmood almost 6 yearsI have put just "Server" nothing else. if your header name is different you can try it with different name.
-
crthompson about 5 yearsThis was the solution to my problem. using win2008 R2 (IIS 7.5) -
eliteproxy almost 4 yearsFor context, I believe this would go in a .net global.asa file
-
Ron almost 3 yearsIs there a way to hide the Asp.Net MVC version on the config itself ? I know, i can achieve this in the global.asax.cs file, but what if i wanted to , on the IIS server itself ?
