Menu
I tried to use this middleware:
public class SecurityHeadersMiddleware
{
private readonly RequestDelegate next;
public SecurityHeadersMiddleware(RequestDelegate next)
{
this.next = next;
}
public async Task Invoke(HttpContext context)
{
context.Response.OnStarting(state =>
{
var ctx = (HttpContext)state;
if (!ctx.Response.Headers.ContainsKey("Arr-Disable-Session-Affinity"))
{
ctx.Response.Headers.Add("Arr-Disable-Session-Affinity", "True"); // Disables the Azure ARRAffinity cookie
}
if (ctx.Response.Headers.ContainsKey("Server"))
{
ctx.Response.Headers.Remove("Server"); // For security reasons
}
if (ctx.Response.Headers.ContainsKey("x-powered-by") || ctx.Response.Headers.ContainsKey("X-Powered-By"))
{
ctx.Response.Headers.Remove("x-powered-by");
ctx.Response.Headers.Remove("X-Powered-By");
}
if (!ctx.Response.Headers.ContainsKey("X-Frame-Options"))
{
ctx.Response.Headers.Add("X-Frame-Options", "DENY");
}
return Task.FromResult(0);
}, context);
await next(context);
}
}
x-powered-by is still there in response header which says asp.net
413
Open the site which you would like to open and then click on the HTTP Response Headers option. Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response.
You can't delete headers afterwards by the standard Servlet API. Your best bet is to just prevent the header from being set.
The X-Powered-By header describes the technologies used by the webserver. This information exposes the server to attackers. Using the information in this header, attackers can find vulnerabilities easier.
As far as I know, the removal of these headers is facilitated with the Request Filtering module, which is part of IIS.
To remove a header, you need to have a web.config file stored on your site, with the following content:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!-- To customize the asp.net core module uncomment and edit the following section.
For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
<system.webServer>
<handlers>
<remove name="aspNetCore"/>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
</handlers>
<aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Add this web.config to your net core application's root folder.
Then it will remove the x-powered-by header.
The result like this:
143
-.NET Core 1
var host = new WebHostBuilder()
.UseKestrel(c => c.AddServerHeader = false)
.UseContentRoot(Directory.GetCurrentDirectory())
.UseIISIntegration()
.UseStartup<Startup>()
.Build();
-NET Core 2
WebHost.CreateDefaultBuilder(args)
.UseKestrel(c => c.AddServerHeader = false)
.UseStartup<Startup>()
.Build();
If you don't want to create a web.config file in a ASP.NET Core solution, you can remove the X-Powered-By header in IIS Manager.
Click on <ServerName> --> HTTP Response Headers --> X-Powered-By and choose the Remove action.
This will remove the header for all websites on that server. Which is fine because why would you want to share that info in the first place?
7
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
