Part of the HTTP communication process that occurs between web servers and browsers are the HTTP headers that are included in the request and response. For example, the following are the headers recorded from a typical response to a web request on a typical site:
Headers Received | Value |
---|---|
(Status-Line) |
HTTP/1.1 200 OK |
Cache-Control |
Private |
Connection |
Keep-Alive |
Content-Length |
6619 |
Content-Type |
Text/html |
Date |
Thu, 07 Nov 2019 19:12:06 GMT |
Proxy-Connection |
Keep-Alive |
Server |
Microsoft-IIS/8.0 |
X-Powered-By |
ASP.NET |
HTTP Headers are a critical part of the communication process between clients and servers. They allow the server to send information that is related to the request, but not part of the content itself. For example, the Content-Length
header tells the browser how long the content that it’s about to receive is, and Cache-Control
header tells the browser whether it can cache the response or not. There are two specific headers of particular interest, because they inform the client about the type of Web server that is servicing the request and its properties. While all Web Servers emit headers of this type, many people prefer that this information is not sent out by the servers, because they prefer to maintain a certain anonymity. Our customers asked us to allow these headers to be disabled on Azure Web Sites, and so with the recent release of Windows Azure Web Sites, we have enabled this to be done. How do I get rid of them? The removal of these headers is facilitated with the Request Filtering module, which is part of IIS. To remove a header, you need to have a web.config file stored on your site, with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
The above would remove the Server header. Other headers that many want to eliminate are the X-Powered-By
and X-AspNet-Version
headers. To remove these two, your web.config
needs to contain the following segments. For X-Powered-By
, the following would fall within the <system.webserver>
tag:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
And for X-AspNet-Version
, the following should be within <system.web>
:
<httpRuntime enableVersionHeader="false" />
So, if you were to want to have them all removed, your web.config
will look like this:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
</configuration>
Naturally, if your site already had an existing web.config
file, you would need to adjust it to contain either or both of the elements described above.