How to remove unnecessary headers from Asp.NET

Web applications use headers to send and receive important information from the client machine to the server.  Here is an example of what some of the headers are:

ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
ACCEPT_ENCODING gzip, deflate, sdch, br
CONNECTION keep-alive
USER_AGENT Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

As you can see, this information gives information about the client machine, connection options as well as some other basic information. These headers are fine as long as they do not give any information about our server. Here are some examples of headers with server information.

SERVER Microsoft-IIS/10.0

This information can be very helpful for an attacker. By knowing what technology and versions we are using the attacker can easily find online if a vulnerability exist. Unfortunately showing these headers is the default setting for, but fortunately it can easily be removed.


Add this to the web.config.


In the Global.asax file add this line in the Application_Start method.

Removing X-POWERED-BY:

This header can easily be removed from iis.

  1. Select the website in which you want to remove the header.
  2. Under the IIS grouping select HTTP Response Headers
  3. You will see the X-Powered-By header there. You can remove it from the right side.

Removing Server:

One of the easiest way to handle this is to create your own custom server header, this will overwrite the existing server header.

I have created a class named CustomServerHeaderModule in my Data folder. Now in the web.config I can add:

That’s all to it. now you won’t need to worry about your website’s headers having any important information about your server.

Bookmark and Share

Leave a Reply

Your email address will not be published. Required fields are marked *