Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to remove Server Header in Asp.Net Core 2.2.1 Web App?

I'm using Asp.Net Core 2.2.1. I'm trying to remove the server Header from the response. I tried adding options.AddServerHeader = false; inside ConfigureKestrel(), but still unsuccessful. Please assist me on where I'm going wrong.

Here is my code:

Program.cs

    public class Program
    {
        public static void Main(string[] args)
        {
            CreateWebHostBuilder(args).Build().Run();
        }

        public static IWebHostBuilder CreateWebHostBuilder(string[] args)
        {
            return WebHost.CreateDefaultBuilder(args)
                .UseStartup<Startup>()
                .ConfigureKestrel((context,options) => {
                    // Set properties and call methods on options
                    options.AddServerHeader = false;
                });
        }
    }

Web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <!-- To customize the asp.net core module uncomment and edit the following section. 
  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <handlers>
      <remove name="aspNetCore" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="InProcess">
      <environmentVariables>
        <environmentVariable name="ASPNETCORE_HTTPS_PORT" value="44342" />
        <environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Development" />
      </environmentVariables>
    </aspNetCore>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Response Image

enter image description here

Thanks,

Abdul

like image 359
fingers10 Avatar asked Oct 21 '25 04:10

fingers10


1 Answers

Calling ConfigureKestrel with options.AddServerHeader = false; will only remove the server header if your application is running on Kestrel. When you are hosting your application on IIS/IISExpress, you need to add the web.config with the following settings:

<configuration> 
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

This line <requestFiltering removeServerHeader="true" /> will do the trick. In addition, you can also remove the custom headers, such as X-Powered-By, if you like by adding the customHeaders section under httpProtocol

Please make sure you have Request Filtering enabled

enter image description here

I hope this helps.

like image 158
Shahzad Hassan Avatar answered Oct 22 '25 20:10

Shahzad Hassan