Reputation: 7533
Why aren't the Server and X-Powered-By headers being removed?
My ASP.NET 4.5 app is being deployed to shared hosting so I do not have access to IIS settings. To remove the X-Powered-By header, I specify in web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
And to remove the Server header, I specify in Global.asax:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e) {
HttpContext.Current.Response.Headers.Remove("Server");
}
However, responses still contain both headers:
Cache-Control:private
Content-Encoding:deflate
Content-Length:672
Content-Type:text/html; charset=utf-8
Date:Sun, 06 Jan 2013 00:41:20 GMT
Server:Microsoft-IIS/7.5
X-Powered-By:ARR/2.5
X-Powered-By:ASP.NET
How can I remove them?
Upvotes: 6
Views: 5812
Answers (4)
Reputation: 9864
The X-Powered-By:ASP.NET is normally removed by simple web.config configuration:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
...
The ARR one is unaffected by this configuration, it has to be removed through the IIS Manager, Editor configuration on the IIS root (not on a site): go to system.webServer/proxy node and set arrResponseHeader to false. After an IISReset, it is taken into account.
I have found this one here, excepted this post is about old IIS 6.0 way of configuring things.
So for your case, without access to IIS settings, you would have to ask the server owner to adjust his configuration. Or try the Url Rewrite solution but of course, with HTTP_X_Powered_By server variable. It will at best only blank out the header, and I have not checked it works for the ARR case.
Upvotes: 2
Reputation: 1
Mostly server IIS doesn't allow us to remove server tags. You can try following code to achieve your goal. Add in Global.asax
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Set("Server", "");
}
This code will remove your "X-AspNet-Version" and set Server value as blank.
Upvotes: 0
Reputation: 4195
I'm not sure why your X-Powered-By isn't being removed, but a Windows Update patch earlier this year made it so that the Application_PreSendRequestHeaders fix no longer removed the Server: header for us.
We had to add a section to our system.webServer block (in the Web.config) using IIS URL Rewrite Module 2:
<rewrite>
<outboundRules>
<rule name="Remove RESPONSE_Server">
<match serverVariable="RESPONSE_Server" pattern=".+"/>
<action type="Rewrite" value=""/>
</rule>
</outboundRules>
</rewrite>
Upvotes: 6
Reputation: 82096
If you are using IIS 7 setting the DisableMvcResponseHeader property to true in the Global.asax should remove the "X-Powered-By" header
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
Upvotes: 0
Related Questions
- How to remove Server header?
- How to delete IIS custom headers like X-Powered-By: ASP.NET from response?
- Can I remove unwanted http headers Server, X-AspNet-Version and X-AspNetMvc-Version using global.asax?
- Why can't the "Server" Response Header be removed via web.config in IIS7?
- Removing Server header from static content in IIS 7/8
- Header servers are not removed in asp.net mvc
- In IIS, can I safely remove the X-Powered-By ASP.NET header?
- Two conflicting X-Powered-By headers
- Why does ASP.NET framework add the 'X-Powered-By:ASP.NET' HTTP Header in responses?
- X-Powered-By: ASP.NET in header. What does the file say?