In IIS 7.0
integrated mode
after deleting all headers with Response.ClearHeaders()
IIS would add some other headers like Server
and X-Powered-By
which reveals good information to hackers. How can I stop this behavior (consider I still need to add my custom headers) ?
In IIS Manager, at the server level, go to the Features view. Click on HTTP Response Headers. You can add/remove headers there. You can also manage the response headers at the site level as well.
You can add this to your Web.Config:
<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer>
Update: if you're using the MVC framework I would also recommend removing the X-AspNetMvc-Version
and X-AspNet-Version
headers as well. This is accomplished by setting MvcHandler.DisableMvcResponseHeader = true
in your Global.asax
file and <system.web><httpRuntime enableVersionHeader="false" /></system.web>
in your Web.config
respectively.
The X-Powered-By
is configured within IIS. On Windows 7 it's specifically:
X-Powered-By
I'm not sure what generates the Server
header though.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With