Remove "Server" header from ASP.NET Core 2.1 application
The Kestrel Server header gets added too late in the request pipeline. Therefore removing it via the web.config or via middleware is not possible.
You can remove the Server header by setting the AddServerHeader property to false
on KestrelServerOptions
, this can be done in the Program.cs.
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseKestrel(options => options.AddServerHeader = false)
.UseStartup<Startup>();
This solution works on IIS 10+ version and allows to remove x-powered-by
and server
headers in server response.
In IIS 10 a new attribute was added: removeServerHeader
.
We need to create web.config
file in asp.net core application with following content:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Then publish app and restart site on IIS.