How to remove Server Header in Asp.Net Core 2.2.1 Web App?

Question

I'm using Asp.Net Core 2.2.1. I'm trying to remove the server Header from the response. I tried adding options.AddServerHeader = false; inside ConfigureKestrel(), but still unsuccessful. Please assist me on where I'm going wrong.

Here is my code:

Program.cs

    public class Program
    {
        public static void Main(string[] args)
        {
            CreateWebHostBuilder(args).Build().Run();
        }

        public static IWebHostBuilder CreateWebHostBuilder(string[] args)
        {
            return WebHost.CreateDefaultBuilder(args)
                .UseStartup<Startup>()
                .ConfigureKestrel((context,options) => {
                    // Set properties and call methods on options
                    options.AddServerHeader = false;
                });
        }
    }

Web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <!-- To customize the asp.net core module uncomment and edit the following section. 
  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <handlers>
      <remove name="aspNetCore" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="InProcess">
      <environmentVariables>
        <environmentVariable name="ASPNETCORE_HTTPS_PORT" value="44342" />
        <environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Development" />
      </environmentVariables>
    </aspNetCore>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Response Image

Thanks,

Abdul

Answer 1

Calling ConfigureKestrel with options.AddServerHeader = false; will only remove the server header if your application is running on Kestrel. When you are hosting your application on IIS/IISExpress, you need to add the web.config with the following settings:

<configuration> 
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

This line <requestFiltering removeServerHeader="true" /> will do the trick. In addition, you can also remove the custom headers, such as X-Powered-By, if you like by adding the customHeaders section under httpProtocol

Please make sure you have Request Filtering enabled

I hope this helps.

Answer 2

We can do this with URLRewrite. Please note this will not remove the header all together but it will remove the value of it.

Following are the steps:

Step 1. Install URLRewrite. To install the URLRewrite please go to the following link

http://www.iis.net/downloads/microsoft/url-rewrite

Step 2. Open the site on which you would like to remove the Server header and click on the URLRewrite section.

Step 3. Click on the “View Server Variables” in the Actions pane in the right hand side.

Step 4. Click on the Add button and then enter “RESPONSE_SERVER” in the textbox provided.

Step 5. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link

http://www.iis.net/learn/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-modul...

Step 6. Create an Outbound rule as the following.

Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third party applications, may require the Server header, so you may need to remove this rule for those applications.