C# Tips

Today's C# Tip

Remove ASP.NET server info headers

Some HTTP headers sent by IIS web server disclose server information.

And here is the summary how to remove the HTTP Server headers (Note: this is one of many ways).

  1. To remove "Server" HTTP response header, install IIS URL Rewrite from https://www.iis.net/downloads/microsoft/url-rewrite and add an Outbound Rule under <system.webServer> => <rewrite> as below.
  2. To remove "X-Powered-By" header, add <remove name="X-Powered-By" /> under httpProtocol.
  3. To remove "X-AspNet-Version" header, add <httpRuntime enableVersionHeader="false" /> under <system.web>
<system.webServer>        
	<rewrite>
	  <outboundRules>
		  <rule name="RemoteServer">
			  <match serverVariable="RESPONSE_SERVER" pattern=".+" />    <!--Remove "Server" Value-->
			  <action type="Rewrite" />
		  </rule>
	  </outboundRules>
	</rewrite>

	<httpProtocol>
	  <customHeaders>
		<remove name="X-Powered-By" />     <!--Remove "X-Powered-By" -->
	  </customHeaders>
	</httpProtocol>    
</system.webServer>

<system.web>
  <httpRuntime enableVersionHeader="false" />   <!--Remove "X-AspNet-Version" -->
<system.web>