Removing HTTP Headers for ASP.NET sites

Posted on November 26, 2010 by Frederik Vig in ASP.NET, IIS

By default IIS and ASP.NET add a couple informational HTTP Headers to a response. They add extra traffic and give away security information like ASP.NET version, IIS version etc. To see the HTTP Header you can use a proxy tool like Fiddler or Live HTTP Header. The example below is for a regular ASP.NET site.

Removing the X-Powered-By Header

Open up IIS Manager, choose your site and go to HTTP Response Headers. Here you’ll see X-Powered-By being inherited. You can either remove it only for this site or for all sites on this server (select the server name in IIS Manager and HTTP Response Headers).

You can also do this in your sites web.config.

<system.webServer>
...
<httpProtocol>
    <customHeaders>
        <remove name="X-Powered-By" />
    </customHeaders>
</httpProtocol>
...
</system.webServer>

Removing the Server Header

To remove this HTTP Header we need to create a custom HTTP Module.

using System;
using System.Web;
 
namespace MyNamespace
{
    public class HttpHeadersCleanup : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += PreSendRequestHeaders;
        }
 
        private static void PreSendRequestHeaders(object sender, EventArgs e)
        {
            HttpContext.Current.Response.Headers.Remove("Server");
        }
 
        public void Dispose()
        {
        }
    }
}

You also need to register the HTTP Module in your sites web.config.

<system.webServer>
...
    <modules runAllManagedModulesForAllRequests="true">
        <add name="HttpHeadersCleanup " type="MyNamespace.HttpHeadersCleanup, MyAssembly"/>
    </modules>
...
</system.webServer>

Removing the ETag Header

For more information on ETag see: HTTP ETag.

To remove ETag you need to add the code below to the HTTP Module described previously.

HttpContext.Current.Response.Headers.Remove("ETag");

Removing the X-Aspnet-Version Header

To remove this HTTP Header you simply set enableVersionHeader to false in your sites web.config.

<system.web>
...
    <httpRuntime enableVersionHeader="false" />
...
</system.web>

Or by removing it in the HTTP Module:

HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");

Here’s how the HTTP Headers look now:

Tagged: ASP.NET EPiServer IIS Umbraco

Frederik Vig

Post Author

I'm a partner and ASP.NET developer for the Norwegian web agency Geta. I mainly write about things I work with, which are: .NET and web technologies

Other posts by Frederik Vig →

Discussion · 3 Comments

There are 3 responses to "Removing HTTP Headers for ASP.NET sites". Comments are closed for this post.

Gilles says:
Post Author January 16, 2011 at 18:40

Hi Frederik,

Great post, but you should use PostReleaseRequestState event instead of PreSendRequestHeaders in your HttpModule. Please read details at http://blogs.msdn.com/b/asiatech/archive/2010/10/18/heap-corruption-in-httpcachemodule-while-you-try-to-remove-http-headers-in-your-custom-http-module.aspx

Gilles
Yousef Jadallah says:
Post Author January 11, 2013 at 19:45

Nice one.
Thanks for sharing.
Vijay says:
Post Author April 1, 2014 at 07:18

Nice article indeed. I would like to ask how can I remove these two from the headers:-

“Transfer-Encoding: chunked
Date: Mon, 31 Mar 2014 07:45:48 GMT”

Thanks in advance and thanks for sharing the nice article.

Frederik Vig – ASP.NET developer

Content Overview

Sidebar is empty.