Removing Server header from static content in IIS 7/8
Solution 1
You should be able to force all requests to go through your managed code by adding this to your webconfig:
<modules runAllManagedModulesForAllRequests="true">
Then, even static files should adhere to your header rules.
Solution 2
The only one without an easy listed solution for was the "Server" header. I was able to remove it locally in IIS and in an Azure web site by adding this in the web.config
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
Solution 3
The same way that's in this answer, and in this website:, you should use the following steps:
C#:
namespace MvcExtensions.Infrastructure
{
public class CustomServerName : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += OnPreSendRequestHeaders;
}
public void Dispose() { }
void OnPreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
}
}
}
Web.config:
<system.webServer>
<modules>
<add name="CustomHeaderModule" type="MvcExtensions.Infrastructure.CustomServerName" />
</modules>
</system.webServer>
Solution 4
Unfortunately managed code modules only work for code passing through the ASP.NET pipeline, whilst others have correctly suggested it is possible to force all requests through managed code, I personally feel this is less than desirable.
In order to remove headers from all requests, including static content, which by default is served directly and not through managed code, it is possible to use a Native-Code module. Unfortunately Native-Code modules are a little more difficult to write as they use the win32 APIs rather than ASP.NET, however in my experience they are much more suitable to removing headers.
The following link has binaries and source code for a Native-Code module that can be used to remove headers. It requires no extra configuration to remove the "Server" headers, but other headers to remove can be added in the IIS configuration.
http://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
Solution 5
Use the IIS UrlRewrite 2.0 for blanking the Server response header. Add following code in the Web.config file
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove RESPONSE_Server" >
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
Chris Doggett
Updated on January 23, 2020Comments
-
Chris Doggett over 4 years
As part of an effort to make our API and site more secure, I'm removing headers that leak information about what the site is running.
Example before stripping headers:
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 05 Jun 2013 00:27:54 GMT Content-Length: 3687Web.config:
<httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol>Global.asax.cs:
protected void Application_PreSendRequestHeaders() { Response.Headers.Remove("Server"); Response.Headers.Remove("X-AspNet-Version"); Response.Headers.Remove("X-AspNetMvc-Version"); Response.AddHeader("Strict-Transport-Security", "max-age=300"); Response.AddHeader("X-Frame-Options", "SAMEORIGIN"); }And after that, all calls to the site and API return safer headers, like so:
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Wed, 05 Jun 2013 00:27:54 GMT Content-Length: 3687So far, so good. However, I've noticed in Firebug that if you look at static content (loading.gif, for example), it still includes the server header.
HTTP/1.1 304 Not Modified Cache-Control: no-cache Accept-Ranges: bytes Etag: "a3f2a35bdf45ce1:0" Server: Microsoft-IIS/8.0 Date: Tue, 25 Jun 2013 18:33:16 GMTI'm assuming this is being handled by IIS somehow, but can't find anywhere to remove that header. I've tried adding:
<remove name="Server" />to the httpProtocol/customHeaders section in Web.config, as mentioned above. I've also tried going into the IIS Manager's HTTP Response Headers section and adding a fake name/value pair for the Server header. In both cases, it still returns
Server: Microsoft-IIS/8.0when loading any images, CSS, or JS. Where/what do I need to set something to fix this?