How to delete IIS custom headers like X-Powered-By: ASP.NET from response?

In IIS 7.0 integrated mode after deleting all headers with Response.ClearHeaders() IIS would add some other headers like Server and X-Powered-By which reveals good information to hackers. How can 开发者_如何转开发I stop this behavior (consider I still need to add my custom headers) ?

You can add this to your Web.Config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

Update: if you're using the MVC framework I would also recommend removing the X-AspNetMvc-Version and X-AspNet-Version headers as well. This is accomplished by setting MvcHandler.DisableMvcResponseHeader = true in your Global.asax file and <system.web><httpRuntime enableVersionHeader="false" /></system.web> in your Web.config respectively.

The X-Powered-By is configured within IIS. On Windows 7 it's specifically:

1. IIS Manager
2. COMPUTER NAME > Sites > Default Web Site
3. HTTP Respons Headers
4. Remove X-Powered-By

I'm not sure what generates the Server header though.

For IIS7+ integrated mode, eth0 has it: <customHeaders> tag in web.config. Thanks for that. As for the "Server" header, if using MVC, you can simply add:

    protected void Application_PreSendRequestHeaders()
    {
        Response.Headers.Remove("Server");
    }

to your MvcApplication class in Global.asax. Otherwise, you can simply add a custom Http Module, handling the PreSendRequestHeaders event, and do the same thing.

Would like to add here that for the ASP.NET Core versions where there is no longer a web.config file a different approach is necessary.

I made the following adjustments to remove the headers in ASP.NET Core 2.1:

You can remove the x-powered-by header by replacing

<customHeaders>
        <clear />
        <add name="X-Powered-By" value="ASP.NET" />
</customHeaders>

with

<customHeaders>
        <remove name="X-Powered-By" />
</customHeaders>

in the applicationhost.config file found in the .vs\config folder of the project.

The server header can be removed by adding

.UseKestrel(c => c.AddServerHeader = false)

in the Program.cs file.

The following answer includes a complete solution that does not require URLScan or a custom HttpModule, and removes all the related headers you mention. It also works on Azure.

Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan

URLScan can be used to remove server header, or configure another server header, http://learn.iis.net/page.aspx/938/urlscan-3-reference/

But it never really prevents a hacker to know what you use in fact. There are obviously other ways to detect your server information.

You can use appcmd.exe (IIS 7 and above) to do your job. The script will be like this:

C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webserver/httpProtocol /-customHeaders.["name='X-Powered-By'"] /commit:apphost  

/commit:apphost: This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.

I usually create a batch file of all these scripts which I run on the web server after the application is installed.

For ASP.NET MVC applications the approach is different and you can refer to other answers given here.