How to remove ASP.NET server headers

By FoxLearn 11/9/2024 2:40:11 PM 43

To remove or modify ASP.NET server headers (like X-AspNet-Version, X-Powered-By, etc.) in your application, you can take a few different approaches depending on your version of ASP.NET and the specific headers you want to remove.

How to remove the HTTP Server headers?

If you're using IIS to host your ASP.NET application, you can use the web.config file to remove or modify server headers.

To remove "Server" HTTP response header, You need to download and install the IIS URL Rewrite Module if it’s not already installed, then add an Outbound Rule under <system.webServer> => <rewrite> as shown below.

<system.webServer>
    <rewrite>
      <outboundRules>
          <rule name="RemoteServer">
              <match serverVariable="RESPONSE_SERVER" pattern=".+" />    <!--Remove "Server" Value-->
              <action type="Rewrite" />
          </rule>
      </outboundRules>
    </rewrite> 
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />     <!--Remove "X-Powered-By" -->
      </customHeaders>
    </httpProtocol>    
</system.webServer> 
<system.web>
  <httpRuntime enableVersionHeader="false" />   <!--Remove "X-AspNet-Version" -->
<system.web>

To remove "X-Powered-By" header, add <remove name="X-Powered-By" /> under httpProtocol.

By default, ASP.NET adds the X-AspNet-Version header. Unfortunately, you can't directly remove this header via web.config. However, you can turn off the feature that adds the version number to HTTP headers.

To remove "X-AspNet-Version" header, add <httpRuntime enableVersionHeader="false" /> under <system.web>

This disables the version header for the ASP.NET runtime (X-AspNet-Version).