For security and branding purposes, it is often necessary to hide the technical stack of your website from public view. By default, IIS (Internet Information Services) and ASP.NET include headers such as X-Powered-By and Server, which can reveal your specific .NET version to potential attackers.
Why Remove These Headers?
Exposing server information is a form of Information Disclosure. Hackers use these headers to identify the server software and search for specific vulnerabilities (CVEs) associated with that version. Removing them is a standard step in server hardening.
Implementation via web.config
To remove these headers at the application level, you must modify your web.config file. This file is located in the root directory of your .NET project.
The Configuration Code
Add or update the <system.webServer> section with the following XML:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<!-- Removes the X-Powered-By ASP.NET header -->
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<security>
<!-- Removes the 'Server' header in IIS 10+ -->
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
Breakdown of the Settings
1. The X-Powered-By Header
The <customHeaders> section manages headers added by IIS. By using the <remove> tag, you explicitly tell the server to stop broadcasting the default X-Powered-By: ASP.NET string.
2. The Server Header
The removeServerHeader="true" attribute is available in IIS 10 and later. This removes the header that typically displays Server: Microsoft-IIS/10.0.
Note: For versions older than IIS 10, you may need to use an
Application_BeginRequestevent in yourGlobal.asaxfile or a dedicated URL Rewrite rule to strip the Server header.
How to Verify the Change
After saving your web.config and restarting your site, you should verify that the headers are gone using your browser's DevTools:
-
Open your website.
-
Press F12 to open Developer Tools and go to the Network tab.
-
Refresh the page and click on the main document request (usually your domain name).
-
Look under Response Headers. The
X-Powered-ByandServerentries should no longer appear.
Common Troubleshooting
-
500 Internal Server Error: This usually happens if the
<system.webServer>section is duplicated. Ensure you are merging the new tags into your existing configuration rather than pasting a second copy of the section. -
Header Still Appears: If you are using a Proxy or CDN (like Cloudflare), the header might be cached at the edge. Clear your CDN cache to see the changes.
