locked
How to remove "Server", "X-Frame-Options" in Response Headers RRS feed

  • Question

  • User135423268 posted

    Good Day Everyone

    I have recently pen tested my our application and some how the Server: Microsoft-IIS/10.0 is still showing on the Response Header, but for the Request Headers, IT is completely gone, I used the following code below on my Global.asax but still it's in there, does anyone know to hide or remove it? 

    Here's the code:

        Protected Sub Application_PreSendRequestHeaders(ByVal sender As Object, ByVal e As EventArgs)
    
            Dim app = TryCast(sender, HttpApplication)
            If app Is Nothing OrElse Not app.Request.IsLocal OrElse app.Context Is Nothing Then
                Return
            End If
    
            Dim headers = app.Context.Response.Headers
            headers.Remove("Server")
            With Response.Headers
                .Remove("Server")
                .Remove("X-AspNet-Version")
                .Remove("X-AspNetMvc-Version")
                .Remove("X-Powered-By")
            End With
    
        End Sub

    Thursday, February 7, 2019 8:06 AM

Answers

All replies

  • User283571144 posted

    Hi amendoza29,

    I have recently pen tested my our application and some how the Server: Microsoft-IIS/10.0 is still showing on the Response Header, but for the Request Headers, IT is completely gone, I used the following code below on my Global.asax but still it's in there, does anyone know to hide or remove it? 

    According to your description, I suggest you could try to follow below steps to remove the  "Server", "X-Frame-Options" in Response Headers.

    1.Open the Global.asax.cs file. Use Application_BeginRequest event to hide the server header. Add the following event to the file, if that method already exists, add the content of following method into the existing event method.

        Protected Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
            Dim app = TryCast(sender, HttpApplication)
    
            If app IsNot Nothing AndAlso app.Context IsNot Nothing Then
                app.Context.Response.Headers.Remove("Server")
            End If
        End Sub

    2.Open the Web.Config file, find the <httpProtocol> node under the <system.webServer> node. Check whether these is a child node under <httpProtocol> called <customHeaders>. By default in MVC, you will not see this customHeaders child node. If it does not exist, create a <cusstomHeaders> node and add following include following to remove X-Powered-By header.

    <httpProtocol> 
     <customHeaders> 
      <remove name="X-Powered-By"/>
     </customHeaders> 
    </httpProtocol>

    Result:

    Best Regards,

    Brando

    Friday, February 8, 2019 1:37 AM
  • User135423268 posted

    Hi Brando

    Thanks for the response, I've tried your solution, but still the Server is still in there.

    Monday, February 11, 2019 12:54 AM
  • User409696431 posted

    I can't help with an answer, but I'm just curious: why do you want to remove it?

    Monday, February 11, 2019 1:13 AM
  • User135423268 posted

    Hi Kathy

    It's a finding during the penetration testing of our system,

    Monday, February 11, 2019 5:31 AM
  • User283571144 posted

    Hi amendoza29,

    According to your description, I have tested my solution on my side, it still works well.

    I suggest you could try to remove the browser's cache or use other browser, then check the response header again.

    If this solution still doesn't solve your issue, I suggest you could share your application to reproduce your issue if possible.

    Best Regards,

    Brando

    Tuesday, February 12, 2019 2:10 AM
  • User753101303 posted

    Hi,

    Try perhaps https://www.saotn.org/remove-iis-server-version-http-response-header/

    If I remember the problem with doing that from your ASP.NET application is that it may not work depending on the site configuration (the query needs to be actually processed by your app so an IIS level solution could be better).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 12, 2019 4:24 PM
  • User135423268 posted

    Good Day Everyone

    I have solved the problem using the solution below

    https://www.saotn.org/remove-iis-server-version-http-response-header/

    Thanks for the response and support everyone.

    Monday, March 18, 2019 1:37 AM
  • User135423268 posted

    Thanks PatriceSc

    I saw the solution, and you also provide it, thanks your the best.

    Monday, March 18, 2019 1:42 AM