As part of an effort to make our API and site more secure, I'm removing headers that leak information about what the site is running.
Example before stripping headers:
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 05 Jun 2013 00:27:54 GMT Content-Length: 3687
Web.config:
<httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol>
Global.asax.cs:
protected void Application_PreSendRequestHeaders() { Response.Headers.Remove("Server"); Response.Headers.Remove("X-AspNet-Version"); Response.Headers.Remove("X-AspNetMvc-Version"); Response.AddHeader("Strict-Transport-Security", "max-age=300"); Response.AddHeader("X-Frame-Options", "SAMEORIGIN"); }
And after that, all calls to the site and API return safer headers, like so:
HTTP/1.1 500 Internal Server Error Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Wed, 05 Jun 2013 00:27:54 GMT Content-Length: 3687
So far, so good. However, I've noticed in Firebug that if you look at static content (loading.gif, for example), it still includes the server header.
HTTP/1.1 304 Not Modified Cache-Control: no-cache Accept-Ranges: bytes Etag: "a3f2a35bdf45ce1:0" Server: Microsoft-IIS/8.0 Date: Tue, 25 Jun 2013 18:33:16 GMT
I'm assuming this is being handled by IIS somehow, but can't find anywhere to remove that header. I've tried adding:
<remove name="Server" />
to the httpProtocol/customHeaders section in Web.config, as mentioned above. I've also tried going into the IIS Manager's HTTP Response Headers section and adding a fake name/value pair for the Server header. In both cases, it still returns
Server: Microsoft-IIS/8.0
when loading any images, CSS, or JS. Where/what do I need to set something to fix this?
In IIS Manager, at the server level, go to the Features view. Click on HTTP Response Headers. You can add/remove headers there. You can also manage the response headers at the site level as well.
Overview. The <customHeaders> element of the <httpProtocol> element specifies custom HTTP headers that Internet Information Services (IIS) 7 will return in HTTP responses from the Web server. HTTP headers are name and value pairs that are returned in responses from a Web server.
The only one without an easy listed solution for was the "Server" header. I was able to remove it locally in IIS and in an Azure web site by adding this in the web.config
<system.webServer> <security> <requestFiltering removeServerHeader="true" /> </security> </system.webServer>
The same way that's in this answer, and in this website:, you should use the following steps:
C#:
namespace MvcExtensions.Infrastructure { public class CustomServerName : IHttpModule { public void Init(HttpApplication context) { context.PreSendRequestHeaders += OnPreSendRequestHeaders; } public void Dispose() { } void OnPreSendRequestHeaders(object sender, EventArgs e) { HttpContext.Current.Response.Headers.Remove("Server"); } } }
Web.config:
<system.webServer> <modules> <add name="CustomHeaderModule" type="MvcExtensions.Infrastructure.CustomServerName" /> </modules> </system.webServer>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With