Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Remove HTTP server and X-Powered-By headers

My app is deployed on azure app service. Response of my server includes the following HTTP headers

Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET

Which i would like permanently exclude from my responses.

The problem is the following. I tried three things

  1. Changes in web.config file

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
     <system.webServer>
     <httpProtocol>
       <customHeaders>
         <remove name="X-Powered-By" />
         <remove name="Server" />
         <remove name="Access-Control-Allow-Origin" />
       </customHeaders>
     </httpProtocol>
     <security>
       <requestFiltering removeServerHeader="true" />
     </security>
    </system.webServer>
    </configuration>
    

In my localhost i run my app and make request i do not get aforementioned headers, but when i deploy it on azure i get the headers again.

  1. Change Startup.cs file

           app.Use(async (context, next) =>
             {
                 context.Response.Headers.Remove("Server");
                 context.Response.Headers.Remove("X-Powered-By");
                 await next();
             });
    

This produce the same result in localhost ok but when deploy get the same headers.

  1. Write middleware

    public async Task InvokeAsync(HttpContext context)
    {
        context.Response.Headers.Remove("Server");
        context.Response.Headers.Remove("X-Powered-By");
    
        await _next(context);
    }
    
        app.UseMiddleware<HttpMiddleware>();
        app.UseAuthentication();
        app.UseMiddleware<RequestLoggingMiddleware>();
    

This is also produce the same result, in localhost ok but when deploy to the azure get the same headers. I am not the azure/cloud expert but maybe there is something that need to be changed on azure?

like image 739
NeoXX Avatar asked Jul 01 '26 06:07

NeoXX


1 Answers

According to your description, I suggest you could try below way to remove the X-Powered-By: ASP.NET.

If you host the application on linux, you could try to modify the UseKestrel setting in Program.CS:

    public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
                webBuilder.UseKestrel(option => option.AddServerHeader = false);
                
            });

Result:

enter image description here

If you host the application on windows, you should modify the web.config to remove the header.

Like below:

<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <!-- To customize the asp.net core module uncomment and edit the following section. 
  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->

  <system.webServer>
    <handlers>
      <remove name="aspNetCore"/>
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>


</configuration>

Result:

enter image description here

like image 178
Brando Zhang Avatar answered Jul 03 '26 00:07

Brando Zhang



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!