Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to delete IIS custom headers like X-Powered-By: ASP.NET from response?

In IIS 7.0 integrated mode after deleting all headers with Response.ClearHeaders() IIS would add some other headers like Server and X-Powered-By which reveals good information to hackers. How can I stop this behavior (consider I still need to add my custom headers) ?

like image 865
Xaqron Avatar asked Nov 02 '10 14:11

Xaqron


People also ask

How do I get rid of Microsoft IIS 8.5 from response header?

In IIS Manager, at the server level, go to the Features view. Click on HTTP Response Headers. You can add/remove headers there. You can also manage the response headers at the site level as well.


2 Answers

You can add this to your Web.Config:

<system.webServer>     <httpProtocol>         <customHeaders>             <remove name="X-Powered-By" />         </customHeaders>     </httpProtocol> </system.webServer> 

Update: if you're using the MVC framework I would also recommend removing the X-AspNetMvc-Version and X-AspNet-Version headers as well. This is accomplished by setting MvcHandler.DisableMvcResponseHeader = true in your Global.asax file and <system.web><httpRuntime enableVersionHeader="false" /></system.web> in your Web.config respectively.

like image 197
eth0 Avatar answered Sep 25 '22 06:09

eth0


The X-Powered-By is configured within IIS. On Windows 7 it's specifically:

  1. IIS Manager
  2. COMPUTER NAME > Sites > Default Web Site
  3. HTTP Respons Headers
  4. Remove X-Powered-By

I'm not sure what generates the Server header though.

like image 26
Samuel Neff Avatar answered Sep 26 '22 06:09

Samuel Neff