Skip to content

Instantly share code, notes, and snippets.

@nordineb
Last active March 24, 2023 22:21
Show Gist options
  • Save nordineb/ef1692aecfe62688d18c8dddba249915 to your computer and use it in GitHub Desktop.
Save nordineb/ef1692aecfe62688d18c8dddba249915 to your computer and use it in GitHub Desktop.
Removing HTTP headers

Checking HTTP headers with CURL

curl -I -L https://test-etf.udir.tech
Restart-Computer

Remove ASP.Net MVC Default HTTP Headers

Global.asax.cs

protected void Application_Start()
   2:  {
   3:      ...
   4:      MvcHandler.DisableMvcResponseHeader = true;
   5:      ...
   6:  }

web.config

<system.web>
   2:      ...
   3:      <httpRuntime enableVersionHeader="false" />
   4:      ...
   5:  </system.web>

web.config

<system.webServer>
   2:      ...
   3:      <httpProtocol>
   4:          <customHeaders>
   5:              <remove name="X-Powered-By" />
		   <remove name="X-AspNetMvc-Version"/>
   6:          </customHeaders>
   7:      </httpProtocol>
   8:      ...
   9:  </system.webServer>

Powershell


Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"

Import-Module WebAdministration
Clear-WebConfiguration "/system.webServer/httpProtocol/customHeaders/add[@name='X-Powered-By']"

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  -Name DisableServerHeader -PropertyType DWord -Value 1 -Force

 C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site" /section:system.webServer/security/requestFiltering /removeServerHeader:True

##Azure only

<system.webServer>
    <security>
        <requestFiltering removeServerHeader="true">
        </requestFiltering>
    </security>
</system.webServer>

##Blank server header:

<rewrite>    
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_Server" pattern=".+" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>

You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.

protected void Application_BeginRequest(object sender, EventArgs e)
{
  var application = sender as HttpApplication;
  if (application != null && application.Context != null)
  {
    application.Context.Response.Headers.Remove("Server");
  }
}```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment