How to remove server data from response headers of your ASP.NET application?

The less you give to hackers, the safer your web application is. Hiding the product, technology, and version information of your server is one big step towards narrowing the attack surface of your application.

By default, IIS server will reveal this data to everyone who has access to your application:

Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET

This data can be viewed by a proxy such as Fiddler.

Server details
Server details

You can remove these headers by add a few lines into web.config and Global.asax files. You don’t need to do any configuration changes in IIS if you are using IIS 7 or an upper version.
.

Remove “Server” header

Add this method into Global.asax:

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
     HttpContext.Current.Response.Headers.Remove("Server");
}

Add this line into Application_Start in Global.asax:

PreSendRequestHeaders += Application_PreSendRequestHeaders;

.
Remove “X-AspNet-Version” header

Add this line into web.config:

<system.web>
     <httpRuntime enableVersionHeader="false" />
...
</system.web>

.
Remove “X-Powered-By” header

Add this line into web.config:

<system.webServer>
     <httpProtocol>
          <customHeaders>
               <remove name="X-Powered-By" />
           </customHeaders>
      </httpProtocol>
       ...
</system.webServer>

.
References

Leave a Reply