CODEWITHSUNDEEP
asp.netiishttp-headers
Xaqron
Xaqron

Reputation: 30847

How to delete IIS custom headers like X-Powered-By: ASP.NET from response?

In IIS 7.0 integrated mode after deleting all headers with Response.ClearHeaders() IIS would add some other headers like Server and X-Powered-By which reveals good information to hackers. How can I stop this behavior (consider I still need to add my custom headers) ?

Upvotes: 51

Views: 56937

Answers (7)

reads0520
reads0520

Reputation: 716

For IIS7+ integrated mode, eth0 has it: <customHeaders> tag in web.config. Thanks for that. As for the "Server" header, if using MVC, you can simply add:

    protected void Application_PreSendRequestHeaders()
    {
        Response.Headers.Remove("Server");
    }

to your MvcApplication class in Global.asax. Otherwise, you can simply add a custom Http Module, handling the PreSendRequestHeaders event, and do the same thing.

UPDATE: This is not recommended, see comments.

Upvotes: 6

Sprouter
Sprouter

Reputation: 452

Would like to add here that for the ASP.NET Core versions where there is no longer a web.config file a different approach is necessary.

I made the following adjustments to remove the headers in ASP.NET Core 2.1:

You can remove the x-powered-by header by replacing 

<customHeaders>
        <clear />
        <add name="X-Powered-By" value="ASP.NET" />
</customHeaders>

with

<customHeaders>
        <remove name="X-Powered-By" />
</customHeaders>

in the applicationhost.config file found in the .vs\config folder of the project.

The server header can be removed by adding 

.UseKestrel(c => c.AddServerHeader = false)

in the Program.cs file.

Upvotes: 5

Saurabh R S
Saurabh R S

Reputation: 3177

You can use appcmd.exe (IIS 7 and above) to do your job. The script will be like this:

C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webserver/httpProtocol /-customHeaders.["name='X-Powered-By'"] /commit:apphost

/commit:apphost: This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

I usually create a batch file of all these scripts which I run on the web server after the application is installed.

For ASP.NET MVC applications the approach is different and you can refer to other answers given here.

Upvotes: 1

eth0
eth0

Reputation: 5137

You can add this to your Web.Config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

Update: if you're using the MVC framework I would also recommend removing the X-AspNetMvc-Version and X-AspNet-Version headers as well. This is accomplished by setting MvcHandler.DisableMvcResponseHeader = true in your Global.asax file and <system.web><httpRuntime enableVersionHeader="false" /></system.web> in your Web.config respectively.

Upvotes: 97

Nick Evans
Nick Evans

Reputation: 3339

The following answer includes a complete solution that does not require URLScan or a custom HttpModule, and removes all the related headers you mention. It also works on Azure.

Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan

Upvotes: 3

Lex Li
Lex Li

Reputation: 63173

URLScan can be used to remove server header, or configure another server header, http://learn.iis.net/page.aspx/938/urlscan-3-reference/

But it never really prevents a hacker to know what you use in fact. There are obviously other ways to detect your server information.

Upvotes: 1

Samuel Neff
Samuel Neff

Reputation: 74909

The X-Powered-By is configured within IIS. On Windows 7 it's specifically:

  1. IIS Manager
  2. COMPUTER NAME > Sites > Default Web Site
  3. HTTP Respons Headers
  4. Remove X-Powered-By

I'm not sure what generates the Server header though.

Upvotes: 14

Related Questions