How to Remove Response Headers in IIS
By Tan Lee Published on Nov 09, 2024 491
By default, Microsoft IIS servers send various headers with responses to client browsers, which may reveal sensitive details about the server's platform, technologies, or versions being used.
This can provide attackers with valuable information to exploit vulnerabilities specific to certain technologies. Therefore, many organizations choose to disable or modify these headers for additional security.
In this article, we will guide you through removing common response headers such as:
- Server – This header exposes the web server and version (e.g.,
Microsoft-IIS
). - X-AspNet-Version – This header reveals the version of ASP.NET (e.g.,
2.0.50727
). - X-AspNetMvc-Version – This header provides information about the version of ASP.NET MVC used by the application.
How to remove the HTTP Server headers?
If you're using IIS to host your ASP.NET application, you can use the web.config
file to remove or modify server headers.
To remove "Server" HTTP response header, You need to download and install the IIS URL Rewrite Module if it’s not already installed, then add an Outbound Rule under <system.webServer> => <rewrite> as shown below.
<system.webServer> <rewrite> <outboundRules> <rule name="RemoteServer"> <match serverVariable="RESPONSE_SERVER" pattern=".+" /> <!--Remove "Server" Value--> <action type="Rewrite" /> </rule> </outboundRules> </rewrite> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> <!--Remove "X-Powered-By" --> </customHeaders> </httpProtocol> </system.webServer> <system.web> <httpRuntime enableVersionHeader="false" /> <!--Remove "X-AspNet-Version" --> <system.web>
To remove "X-Powered-By" header, add <remove name="X-Powered-By" /> under httpProtocol.
By default, ASP.NET adds the X-AspNet-Version
header. Unfortunately, you can't directly remove this header via web.config
. However, you can turn off the feature that adds the version number to HTTP headers.
To remove "X-AspNet-Version" header, add <httpRuntime enableVersionHeader="false" /> under <system.web>. This disables the version header for the ASP.NET runtime (X-AspNet-Version
).
To remove the X-AspNetMvc-Version header in ASP.NET MVC, you can add the following line in the Global.asax file:
MvcHandler.DisableMvcResponseHeader = true;
In IIS 7.0+, you can use the URL Rewrite Module to remove or modify the Server and other headers like X-AspNet-Version as shown above.
- How to Initialize TagHelpers in ASP.NET Core with Shared Data
- Essential Tips for Securing Your ASP.NET Website
- Top Security Best Practices for ASP.NET
- Boost Your ASP.NET Core Website Performance with .NET Profiler
- The name 'Session' does not exist in the current context
- Implementing Two-Factor Authentication with Google Authenticator in ASP.NET Core
- How to securely reverse-proxy ASP.NET Core
- How to Retrieve Client IP in ASP.NET Core Behind a Reverse Proxy