How to remove ASP.Net MVC Default HTTP Headers?
X-Powered-By
is a custom header in IIS. Since IIS 7, you can remove it by adding the following to your web.config
:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders
Add this to web.config
to get rid of the X-AspNet-Version
header:
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
Finally, to remove X-AspNetMvc-Version
, edit Global.asax.cs
and add the following in the Application_Start
event:
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
You can also modify headers at runtime via the Application_PreSendRequestHeaders
event in Global.asax.cs
. This is useful if your header values are dynamic:
protected void Application_PreSendRequestHeaders(object source, EventArgs e)
{
Response.Headers.Remove("foo");
Response.Headers.Add("bar", "quux");
}
You can also remove them by adding code to your global.asax file:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("X-Powered-By");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
HttpContext.Current.Response.Headers.Remove("Server");
}
I found this configuration in my web.config
which was for a New Web Site...
created in Visual Studio (as opposed to a New Project...
). Since the question states a ASP.NET MVC application, not as relevant, but still an option.
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
Update: Also, Troy Hunt has an article titled Shhh… don’t let your response headers talk too loudly with detailed steps on removing these headers as well as a link to his ASafaWeb tool for scanning for them and other security configurations.