Add this to your global.asax.cs:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
In IIS7 you have to use an HTTP module. Build the following as a class library in VS:
namespace StrongNamespace.HttpModules
{
public class CustomHeaderModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += OnPreSendRequestHeaders;
}
public void Dispose() { }
void OnPreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Set("Server", "Box of Bolts");
}
}
}
Then add the following to your web.config, or you configure it within IIS (if you configure within IIS, the assembly must be in the GAC).
<configuration>
<system.webServer>
<modules>
<add name="CustomHeaderModule"
type="StrongNamespace.HttpModules.CustomHeaderModule" />
</modules>
</system.webServer>
</configuration>
Scott Mitchell provides in a blog post solutions for removing unnecessary headers.
As already said here in other answers, for the Server
header, there is the http module solution, or a web.config solution for IIS 10+, or you can use URLRewrite instead for blanking it.
For this Server
header, the most practical solution for an up-to-date (IIS 10 +) setup is using removeServerHeader
in the web.config:
<system.webServer>
...
<security>
<requestFiltering removeServerHeader="true" />
</security>
...
</system.webServer>
For X-AspNet-Version
and X-AspNetMvc-Version
, Scott Mitchell provides a better way than removing them on each response: simply not generating them at all.
Use enableVersionHeader
for disabling X-AspNet-Version
, in web.config
<system.web>
...
<httpRuntime enableVersionHeader="false" />
...
</system.web>
Use MvcHandler.DisableMvcResponseHeader
in .Net Application_Start event for disabling X-AspNetMvc-Version
MvcHandler.DisableMvcResponseHeader = true;
And finally, remove in IIS configuration the X-Powered-By
custom header in web.config.
<system.webServer>
...
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
Beware, if you have ARR (Application Request Routing), it will also add its own X-Powered-By
, which will not be removed by custom headers settings. This one has to be removed through the IIS Manager, Editor configuration on the IIS root (not on a site): go to system.webServer/proxy
node and set arrResponseHeader
to false
. After an IISReset
, it is taken into account.
(I have found this one here, excepted this post is about old IIS 6.0 way of configuring things.)
Do not forget that solution by application code does not apply by default to header generated on static content (you may activate the runAllManagedModulesForAllRequests
for changing that, but it causes all requests to run .Net pipeline). It is not an issue for X-AspNetMvc-Version
since it is not added on static content (at least if static request are not run in .Net pipeline).
Side note: when the aim is to cloak used technology, you should also change standard .Net cookie names (.ASPXAUTH
if forms auth activated (use name
attribute on forms
tag in web.config), ASP.NET_SessionId
(use <sessionState cookieName="yourName" />
in web.config under system.web
tag), __RequestVerificationToken
(change it by code with AntiForgeryConfig.CookieName
, but unfortunately does not apply to the hidden input this system generates in the html)).
With the URL Rewrite Module Version 2.0 for IIS (UrlRewrite) enabled, in the configuration section <configuration>
➡ <system.webServer>
➡ <rewrite>
add the outbound rule:
<outboundRules>
<rule name="Remove RESPONSE_Server" >
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With