Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why aren't the Server and X-Powered-By headers being removed?

Tags:

http-headers

asp.net

iis

web-config

global-asax

My ASP.NET 4.5 app is being deployed to shared hosting so I do not have access to IIS settings. To remove the X-Powered-By header, I specify in web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

And to remove the Server header, I specify in Global.asax:

protected void Application_PreSendRequestHeaders(object sender, EventArgs e) {
  HttpContext.Current.Response.Headers.Remove("Server");
}

However, responses still contain both headers:

Cache-Control:private
Content-Encoding:deflate
Content-Length:672
Content-Type:text/html; charset=utf-8
Date:Sun, 06 Jan 2013 00:41:20 GMT
Server:Microsoft-IIS/7.5
X-Powered-By:ARR/2.5
X-Powered-By:ASP.NET

How can I remove them?

like image 306
James Avatar asked Jan 06 '13 00:01

James

2 Answers

I'm not sure why your X-Powered-By isn't being removed, but a Windows Update patch earlier this year made it so that the Application_PreSendRequestHeaders fix no longer removed the Server: header for us.

We had to add a section to our system.webServer block (in the Web.config) using IIS URL Rewrite Module 2:

<rewrite>
    <outboundRules>
        <rule name="Remove RESPONSE_Server">
            <match serverVariable="RESPONSE_Server" pattern=".+"/>
            <action type="Rewrite" value=""/>
        </rule>
    </outboundRules>
</rewrite>
like image 183
Owen Blacker Avatar answered Oct 09 '22 07:10

Owen Blacker

The X-Powered-By:ASP.NET is normally removed by simple web.config configuration:

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
...

The ARR one is unaffected by this configuration, it has to be removed through the IIS Manager, Editor configuration on the IIS root (not on a site): go to system.webServer/proxy node and set arrResponseHeader to false. After an IISReset, it is taken into account.
I have found this one here, excepted this post is about old IIS 6.0 way of configuring things.

So for your case, without access to IIS settings, you would have to ask the server owner to adjust his configuration. Or try the Url Rewrite solution but of course, with HTTP_X_Powered_By server variable. It will at best only blank out the header, and I have not checked it works for the ARR case.

like image 1
Frédéric Avatar answered Oct 09 '22 08:10

Frédéric
Sign in to Comment

Related questions

AjaxToolkit: the last TabContainer on the page is focused on page load
How to make asp:GridView sortable?
MVC 3.0 JQUERY Partial page update
Where to put CSS rules in ASCX custom control?
Forms authentication with SignalR
Controls inside a Usercontrol don't get initialized if it's in a Repeater
How to configure Windows Activation Server (WAS) in Windows XP to host WCF services?
is .net caching sensitive data will be dangerous in manner of security or have any security issues?
Inserting MathMl , Tex or LaTex equation in MS word .docs?
Sessions stored in a co-located Azure cache gets out of sync on multiple instances
Use Sections in Partial Views in MVC 4.0
Azure blob storage upload fail
ASP.NET Web.Config ConfigurationManager.AppSettings File Caching
Safari on iPad occasionally doesn't recognize ASP.NET postback links
Save dialog box to download file, Saving file from ASP.NET server to the client
Can't stop firing ASP.NET Module for static content
ASP.NET bundling - default virtual paths?
Loading user control dynamically in two directions
How to create or attach WCF service in existing asp.net web site

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!