Removing HTTP Headers for ASP.NET sites

Posted on November 26, 2010 by Frederik Vig in ASP.NET, IIS

By default IIS and ASP.NET add a couple informational HTTP Headers to a response. They add extra traffic and give away security information like ASP.NET version, IIS version etc. To see the HTTP Header you can use a proxy tool like Fiddler or Live HTTP Header. The example below is for a regular ASP.NET site.

HTTP Header for a typical ASP.NET site

Removing the X-Powered-By Header

Open up IIS Manager, choose your site and go to HTTP Response Headers. Here you’ll see X-Powered-By being inherited. You can either remove it only for this site or for all sites on this server (select the server name in IIS Manager and HTTP Response Headers).

You can also do this in your sites web.config.

<system.webServer>
...
<httpProtocol>
    <customHeaders>
        <remove name="X-Powered-By" />
    </customHeaders>
</httpProtocol>
...
</system.webServer>

Removing the Server Header

To remove this HTTP Header we need to create a custom HTTP Module.

using System;
using System.Web;
 
namespace MyNamespace
{
    public class HttpHeadersCleanup : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += PreSendRequestHeaders;
        }
 
        private static void PreSendRequestHeaders(object sender, EventArgs e)
        {
            HttpContext.Current.Response.Headers.Remove("Server");
        }
 
        public void Dispose()
        {
        }
    }
}

You also need to register the HTTP Module in your sites web.config.

<system.webServer>
...
    <modules runAllManagedModulesForAllRequests="true">
        <add name="HttpHeadersCleanup " type="MyNamespace.HttpHeadersCleanup, MyAssembly"/>
    </modules>
...
</system.webServer>

Removing the ETag Header

For more information on ETag see: HTTP ETag.

To remove ETag you need to add the code below to the HTTP Module described previously.

HttpContext.Current.Response.Headers.Remove("ETag");

Removing the X-Aspnet-Version Header

To remove this HTTP Header you simply set enableVersionHeader to false in your sites web.config.

<system.web>
...
    <httpRuntime enableVersionHeader="false" />
...
</system.web>

Or by removing it in the HTTP Module:

HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");

Here’s how the HTTP Headers look now:

New HTTP Headers after removing X-Powered-By Header, Server, and ETag

Related Posts: