Remove response Server header on Azure Web App from the first redirect request to HTTPS

Question

I’m trying to remove the response Server header from an Azure Web App ( with an ASP Net core application )

After many tries of changing the web.config and removing the header in app code using a middleware, Microsoft doesn’t give up and set the response header to Server: Microsoft-IIS/10.0 :)

The problem appears only when I’m trying to access the server on http (not https). Response code from the server is 301, and this is the only response that has the Server header.

Checking the logs I was not able to find any request to http://, and perhaps this is why I’m not able to remove header, because the request is not process in my application code.

A solution that I’m thinking is to disable the azure HTTPS only and do the redirect to https in my code (I tested and is working - server header is removed)

Is there another workaround without disabling the HTTPS only option?

Here is what I tried

Startup.cs

    public void Configure(IApplicationBuilder app)
    {
        app.Use(async (context, next) =>
        {
            context.Response.Headers.Add("server", string.Empty)
        }
        app.UseHttpsRedirection();
    }

web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <httpRuntime enableVersionHeader="false" />
        <!-- Removes ASP.NET version header.  -->
    </system.web>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <remove name="Server" />
                <remove name="X-Powered-By" />
            </customHeaders>
            <redirectHeaders>
                <clear />
            </redirectHeaders>      
        </httpProtocol>
        <security>
            <requestFiltering removeServerHeader="true" />
            <!-- Removes Server header in IIS10 or later and also in Azure Web Apps -->
        </security>
        <rewrite>  
            <outboundRules>
                <rule name="Change Server Header"> <!-- if you're not removing it completely -->
                  <match serverVariable="RESPONSE_Server" pattern=".+" />
                    <action type="Rewrite" value="Unknown" />
                </rule>
            </outboundRules> 
        </rewrite>      

    </system.webServer>
</configuration>

Answer 1

I didn't changed any middleware code. Just used <requestFiltering removeServerHeader="true" /> Note: I have removed <remove name="Server" /> from customHeader and outboundrules. I have "Https only" -> Yes in my Azure App Service

This works for me.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <httpRuntime enableVersionHeader="false" />
        <!-- Removes ASP.NET version header.  -->
    </system.web>
    <system.webServer>
        <httpProtocol>
            <customHeaders>                    
                <remove name="X-Powered-By" />
            </customHeaders>              
        </httpProtocol>
        <security>
            <requestFiltering removeServerHeader="true" />
            <!-- KEEP ONLY THIS -->
        </security>
    </system.webServer>
</configuration>