asp.net core remove X-Powered-By cannot be done in middleware

Question

Why can I not remove X-Powered-By as part of my middleware that I am executing? I can remove it if I put in the web.config but not if I put it in the middleware. I am removing another header in the middleware "Server" : "Kestrel" which works and tells me my middleware is being executed.

I am using Visual Studio 2015, ASP.Net Core Web Application (.NET Framework), 1.0.0-rc2-final

My middleware

public class ManageHttpHeadersMiddleware
{
    private RequestDelegate _next;

    public ManageHttpHeadersMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public async Task Invoke(HttpContext context)
    {
        context.Response.OnStarting(() =>
        {
            context.Response.Headers.Remove("Server");
            context.Response.Headers.Remove("X-Powered-By");

            return Task.CompletedTask;
        });

        await _next(context);
    }
}

My Startup.Configure method looks like this

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        loggerFactory.AddSerilog(new LoggerConfiguration()
            .ReadFrom.ConfigurationSection(Configuration.GetSection("Serilog"))
            .CreateLogger())
            .AddDebug();

        app.UseMiddleware<ManageHttpHeadersMiddleware>();

        app.UseJwtBearerAuthentication();

        app.UseMvc();

        app.UseSwaggerGen();
        app.UseSwaggerUi();
    }

So my questions are :

1. Is it because of the order in which I am executing the middleware in the Startup.Configure ?
2. Is it because of the event I am executing in the middleware ? I have tried using OnCompleted but its obviously to late and does not then remove "Server" : "Kestrel"
3. Is it because its added by Kestrel or IIS in Azure and the only way to remove is via the web.config ?

I know that you could argue I have a work around and what's my problem, but it would be nice to achieve the same requirement in the same code location, to help maintainability, etc, etc.

Answer 1

We can remove X-Powered-By and other headers with web.config as it added again in asp.net core

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

Answer 2

Heres a complete web.config in the application root of a dotnet core 3.1 application that removes the X-Powered-By and Server headers. The other stuff is default when you add the file from Project > Add > New item > Web Config file

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <handlers>
      <remove name="aspNetCore" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="InProcess" />
    <httpProtocol>
      <!-- Remove X-Powered-By header -->
      <customHeaders>
        <remove name="X-Powered-By" />
        <remove name="Server" />
      </customHeaders>
    </httpProtocol>
    <security>
        <!-- Remove Server header-->
        <requestFiltering removeServerHeader ="true" />
    </security>
  </system.webServer>
</configuration>