C# Tips

C# Tip Article

Remove ASP.NET server info headers

Some HTTP headers sent by IIS web server disclose server information.

And here is the summary how to remove the HTTP Server headers (Note: this is one of many ways).

  1. To remove "Server" HTTP response header, install IIS URL Rewrite from https://www.iis.net/downloads/microsoft/url-rewrite and add an Outbound Rule under <system.webServer> => <rewrite> as below.
  2. To remove "X-Powered-By" header, add <remove name="X-Powered-By" /> under httpProtocol.
  3. To remove "X-AspNet-Version" header, add <httpRuntime enableVersionHeader="false" /> under <system.web>
<system.webServer>        
	<rewrite>
	  <outboundRules>
		  <rule name="RemoteServer">
			  <match serverVariable="RESPONSE_SERVER" pattern=".+" />    <!--Remove "Server" Value-->
			  <action type="Rewrite" />
		  </rule>
	  </outboundRules>
	</rewrite>

	<httpProtocol>
	  <customHeaders>
		<remove name="X-Powered-By" />     <!--Remove "X-Powered-By" -->
	  </customHeaders>
	</httpProtocol>    
</system.webServer>

<system.web>
  <httpRuntime enableVersionHeader="false" />   <!--Remove "X-AspNet-Version" -->
<system.web>