Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to remove x-powered-by header in .net core 2.0

Tags:

c#

security

azure

I tried to use this middleware:

public class SecurityHeadersMiddleware
{
    private readonly RequestDelegate next;

    public SecurityHeadersMiddleware(RequestDelegate next)
    {
        this.next = next;
    }

    public async Task Invoke(HttpContext context)
    {
        context.Response.OnStarting(state =>
        {
            var ctx = (HttpContext)state;

            if (!ctx.Response.Headers.ContainsKey("Arr-Disable-Session-Affinity"))
            {
                ctx.Response.Headers.Add("Arr-Disable-Session-Affinity", "True"); // Disables the Azure ARRAffinity cookie
            }

            if (ctx.Response.Headers.ContainsKey("Server"))
            {
                ctx.Response.Headers.Remove("Server"); // For security reasons
            }

            if (ctx.Response.Headers.ContainsKey("x-powered-by") || ctx.Response.Headers.ContainsKey("X-Powered-By"))
            {
                ctx.Response.Headers.Remove("x-powered-by");
                ctx.Response.Headers.Remove("X-Powered-By");
            }

            if (!ctx.Response.Headers.ContainsKey("X-Frame-Options"))
            {
                ctx.Response.Headers.Add("X-Frame-Options", "DENY");
            }

            return Task.FromResult(0);
        }, context);

        await next(context);
    }
}

x-powered-by is still there in response header which says asp.net

like image 413
sensei Avatar asked Aug 25 '17 13:08

sensei


People also ask

How do I get rid of X-powered-by response header?

Open the site which you would like to open and then click on the HTTP Response Headers option. Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response.

How do I remove a response header?

You can't delete headers afterwards by the standard Servlet API. Your best bet is to just prevent the header from being set.

What is X-powered-by in HTTP header?

The X-Powered-By header describes the technologies used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.


3 Answers

As far as I know, the removal of these headers is facilitated with the Request Filtering module, which is part of IIS.

To remove a header, you need to have a web.config file stored on your site, with the following content:

<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <!-- To customize the asp.net core module uncomment and edit the following section. 
  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->

  <system.webServer>
    <handlers>
      <remove name="aspNetCore"/>
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>


</configuration>

Add this web.config to your net core application's root folder.

Then it will remove the x-powered-by header.

The result like this:

enter image description here

like image 143
Brando Zhang Avatar answered Oct 17 '22 19:10

Brando Zhang


  • In addition to @Brando Zhang answer, To remove "Server:Kestrel" from response header:

-.NET Core 1

 var host = new WebHostBuilder()
        .UseKestrel(c => c.AddServerHeader = false)
        .UseContentRoot(Directory.GetCurrentDirectory())
        .UseIISIntegration()
        .UseStartup<Startup>()
        .Build();

-NET Core 2

WebHost.CreateDefaultBuilder(args)
               .UseKestrel(c => c.AddServerHeader = false)
               .UseStartup<Startup>()
               .Build();
like image 24
Ahmed Al Jabry Avatar answered Oct 17 '22 20:10

Ahmed Al Jabry


If you don't want to create a web.config file in a ASP.NET Core solution, you can remove the X-Powered-By header in IIS Manager.

Click on <ServerName> --> HTTP Response Headers --> X-Powered-By and choose the Remove action.

IIS

This will remove the header for all websites on that server. Which is fine because why would you want to share that info in the first place?

like image 7
Rubanov Avatar answered Oct 17 '22 18:10

Rubanov