How to Remove Server from Response Header for ASP.NET Core Web API on IIS 8 and 10

As a developer, it is important to know ASP.NET Core security features. Securing your web applications should always be a top priority. One of the ways you can improve your application’s security is by removing sensitive information such as server headers from the HTTP response. In this post, we’ll go over how to remove the server header from an ASP.NET Core Web API application.

Why Remove Server Headers?

The response of an HTTP request includes server headers that provide information about the web server running the application. Attackers can use this information to target specific vulnerabilities or exploit your application. Removing the server header can make it more difficult for attackers to identify the technology stack being used and can make your application less of a target.

How to Remove the Server Header in ASP.NET Core

Here are the steps to Remove server response header in an ASP.NET Core Web API application:

To remove the server header in IIS 8 using the web.config file, you can add the following configuration in the <system.webServer> section:

<httpProtocol>
  <customHeaders>
    <remove name="Server" />
  </customHeaders>
</httpProtocol>

This configuration adds a custom header that removes the server header from the response headers.

Here’s an example of what your web.config file might look like with this configuration added:

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="Server" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

After making this change, save the web.config file and restart the IIS web server to apply the configuration. Your ASP.NET Core Web API application should no longer include the server header in the response headers.

If you are using IIS version 10 or higher, you have two options to make it work.

Web.Config

This solution works on IIS 10+ version and allows to remove x-powered-by and server headers in the server response.

In IIS 10 a new attribute was added: removeServerHeader. after this change, push this to server and restart iis.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

You can use the URL Rewrite module to remove the server header. Here are the steps:

  1. If the URL Rewrite module is not already installed, you should install it. You can download it from the Microsoft website.
  2. Open IIS Manager and select the website for which you want to remove the server header.
  3. Click on the “URL Rewrite” icon and then click “Add Rule(s)” on the right side.
  4. In the “Add Rule(s)” window, select “Blank Rule” and click “OK”.
  5. In the “Edit Inbound Rule” window, give your rule a name and set the following properties:
    • Match URL: Request Headers
    • Header Name: Server
    • Using: Wildcards
    • Pattern: *
    • Action Type: None
  6. Click “Apply” to save your changes.

After you follow these steps, your ASP.NET Core Web API application hosted on IIS 10 or higher should no longer include the server header in the response headers.

Other Topics you might be interested

Sample App

Essential Product API – DOTNET CORE WEB API project using version 3.1. You can also use.Net 6 or above

Remove server response header from the application is now doable.

Note that if you have multiple websites hosted on the same IIS server, you will need to repeat these steps for each website

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights