Reputation: 4855
Remove "Server" header from ASP.NET Core 2.1 application
Is it possible to remove the Server Response header in a ASP.NET Core 2.1 application (running on Server 2016 with IIS 10)?
I tried putting the following in the web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="sameorigin" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<remove name="X-Powered-By" />
<remove name="Server" />
</customHeaders>
</httpProtocol>
</system.webServer>
The first four alterations to the Response worked fine, but the Server header was not removed. I still see "Kestrel"
Upvotes: 43
Views: 60543
Answers (8)
Reputation: 44
The answers are right, but for kestrel you can also use ConfigureKestrel in program.cs instead of UseKestrel(). Because UseKestrel force to use it but ConfigureKestrel will apply if you host it on Kestrel. so you can also host it on IIS.
builder.WebHost.ConfigureKestrel(option => option.AddServerHeader = false);
Upvotes: 1
Reputation: 141
These directions apply to IIS 10.0 only.
Open the web.config file located in the root directory for the website.
Configure requestFiltering in the web.config system.webServer node:
<security> <requestFiltering removeServerHeader ="true" /> </security>Save the file and restart your IIS app.
Upvotes: 6
Reputation: 70176
The answer from @SamAlekseev is really good for removing Server and X-Powered-By header. The only thing missing is removing X-AspNet-Version as well. This works for Azure App Services as well as IIS.
Complete web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!-- To customize the asp.net core module uncomment and edit the following section.
For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
<!--
<system.webServer>
<handlers>
<remove name="aspNetCore"/>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
</handlers>
<aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
</system.webServer>
-->
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
<system.web>
<httpRuntime enableVersionHeader="false"/>
</system.web>
</configuration>
Source:
https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/
Upvotes: 0
Reputation: 936
In NET6, it becomes
var builder = WebApplication.CreateBuilder(args);
builder.WebHost.UseKestrel(option => option.AddServerHeader = false);
Upvotes: 31
Reputation: 7215
The Kestrel Server header gets added too late in the request pipeline. Therefore removing it via the web.config or via middleware is not possible.
You can remove the Server header by setting the AddServerHeader property to false on KestrelServerOptions, this can be done in the Program.cs.
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseKestrel(options => options.AddServerHeader = false)
.UseStartup<Startup>();
Upvotes: 67
Reputation: 4084
For Dotnet Core 3.1 UseKestrel is part of ConfigureWebHostDefaults as opposed to CreateDefaultBuilder in earlier versions.
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>()
.UseKestrel(options => options.AddServerHeader = false);
});
Upvotes: 8
Reputation: 7348
For the ones that are trying to do the same thing (removing the Server response header added by Kestrel web server) but using instead ASP.NET core 2.2, they should use the extension method ConfigureKestrel (https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.hosting.webhostbuilderkestrelextensions.configurekestrel?view=aspnetcore-2.2#Microsoft_AspNetCore_Hosting_WebHostBuilderKestrelExtensions_ConfigureKestrel_Microsoft_AspNetCore_Hosting_IWebHostBuilder_System_Action_Microsoft_AspNetCore_Server_Kestrel_Core_KestrelServerOptions__) instead of the extension method UseKestrel.
Upvotes: 9
Reputation: 2391
This solution works on IIS 10+ version and allows to remove x-powered-by and server headers in server response.
In IIS 10 a new attribute was added: removeServerHeader.
We need to create web.config file in asp.net core application with following content:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Then publish app and restart site on IIS.
Upvotes: 91
Related Questions
- How to remove Server header?
- Removing Kestrel binding warning
- How to remove 'Server' header from .net core 3.1 api response?
- .NET Core 3.1 - remove Server header
- I don't use Kestrel as the web server and enable IIS integration in the code but Response Header showing the server is Kestrel
- Remove Server:Kestrel Header in Net Core 3
- How to remove server header using middleware?
- How to remove Server Header in Asp.Net Core 2.2.1 Web App?
- "Server" response header for Kestrel behind IIS
- Remove the "server" name header in iis7.5 for Classic ASP app