Is it possible to remove the Server Response header in a ASP.NET Core 2.1 application (running on Server 2016 with IIS 10)?
I tried putting the following in the web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="sameorigin" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<remove name="X-Powered-By" />
<remove name="Server" />
</customHeaders>
</httpProtocol>
</system.webServer>
The first four alterations to the Response worked fine, but the Server header was not removed. I still see "Kestrel"
In IIS Manager, at the server level, go to the Features view. Click on HTTP Response Headers. You can add/remove headers there. You can also manage the response headers at the site level as well.
If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third party applications, may require the Server header, so you may need to remove this rule for those applications.
Kestrel is a cross-platform web server for ASP.NET Core. Kestrel is the web server that's included and enabled by default in ASP.NET Core project templates. Kestrel supports the following scenarios: HTTPS. HTTP/2 (except on macOS†)
This solution works on IIS 10+ version and allows to remove x-powered-by
and server
headers in server response.
In IIS 10 a new attribute was added: removeServerHeader
.
We need to create web.config
file in asp.net core application with following content:
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <security> <requestFiltering removeServerHeader="true" /> </security> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer> </configuration>
Then publish app and restart site on IIS.
The Kestrel Server header gets added too late in the request pipeline. Therefore removing it via the web.config or via middleware is not possible.
You can remove the Server header by setting the AddServerHeader property to false
on KestrelServerOptions
, this can be done in the Program.cs.
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseKestrel(options => options.AddServerHeader = false)
.UseStartup<Startup>();
For the ones that are trying to do the same thing (removing the Server response header added by Kestrel web server) but using instead ASP.NET core 2.2, they should use the extension method ConfigureKestrel (https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.hosting.webhostbuilderkestrelextensions.configurekestrel?view=aspnetcore-2.2#Microsoft_AspNetCore_Hosting_WebHostBuilderKestrelExtensions_ConfigureKestrel_Microsoft_AspNetCore_Hosting_IWebHostBuilder_System_Action_Microsoft_AspNetCore_Server_Kestrel_Core_KestrelServerOptions__) instead of the extension method UseKestrel.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With