Removing HTTP Headers for ASP.NET sites
Posted on November 26, 2010 by Frederik Vig in ASP.NET, IISBy default IIS and ASP.NET add a couple informational HTTP Headers to a response. They add extra traffic and give away security information like ASP.NET version, IIS version etc. To see the HTTP Header you can use a proxy tool like Fiddler or Live HTTP Header. The example below is for a regular ASP.NET site.
Removing the X-Powered-By Header
Open up IIS Manager, choose your site and go to HTTP Response Headers. Here you’ll see X-Powered-By being inherited. You can either remove it only for this site or for all sites on this server (select the server name in IIS Manager and HTTP Response Headers).
You can also do this in your sites web.config.
<system.webServer> ... <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> ... </system.webServer> |
Removing the Server Header
To remove this HTTP Header we need to create a custom HTTP Module.
using System; using System.Web; namespace MyNamespace { public class HttpHeadersCleanup : IHttpModule { public void Init(HttpApplication context) { context.PreSendRequestHeaders += PreSendRequestHeaders; } private static void PreSendRequestHeaders(object sender, EventArgs e) { HttpContext.Current.Response.Headers.Remove("Server"); } public void Dispose() { } } } |
You also need to register the HTTP Module in your sites web.config.
<system.webServer> ... <modules runAllManagedModulesForAllRequests="true"> <add name="HttpHeadersCleanup " type="MyNamespace.HttpHeadersCleanup, MyAssembly"/> </modules> ... </system.webServer> |
Removing the ETag Header
For more information on ETag see: HTTP ETag.
To remove ETag you need to add the code below to the HTTP Module described previously.
HttpContext.Current.Response.Headers.Remove("ETag"); |
Removing the X-Aspnet-Version Header
To remove this HTTP Header you simply set enableVersionHeader to false in your sites web.config.
<system.web> ... <httpRuntime enableVersionHeader="false" /> ... </system.web> |
Or by removing it in the HTTP Module:
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version"); |
Here’s how the HTTP Headers look now:
Related Posts:
- Detecting Ajax requests on the server
- Part 8: Preparing for launch – Create an EPiServer site from scratch
- Faster EPiServer sites – client side performance
- Part 1: Setting up the development environment – Create an EPiServer site from scratch
- Getting the Page and EPiServer CurrentPage object from HttpContext
Gilles says:
Post Author January 16, 2011 at 18:40Hi Frederik,
Great post, but you should use PostReleaseRequestState event instead of PreSendRequestHeaders in your HttpModule. Please read details at http://blogs.msdn.com/b/asiatech/archive/2010/10/18/heap-corruption-in-httpcachemodule-while-you-try-to-remove-http-headers-in-your-custom-http-module.aspx
Gilles
Yousef Jadallah says:
Post Author January 11, 2013 at 19:45Nice one.
Thanks for sharing.
Vijay says:
Post Author April 1, 2014 at 07:18Nice article indeed. I would like to ask how can I remove these two from the headers:-
“Transfer-Encoding: chunked
Date: Mon, 31 Mar 2014 07:45:48 GMT”
Thanks in advance and thanks for sharing the nice article.