How to remove x-powered-by header in .net core 2.0

As far as I know, the removal of these headers is facilitated with the Request Filtering module, which is part of IIS.

To remove a header, you need to have a web.config file stored on your site, with the following content:

<?xml version="1.0" encoding="utf-8"?>
<configuration>

  <!-- To customize the asp.net core module uncomment and edit the following section. 
  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->

  <system.webServer>
    <handlers>
      <remove name="aspNetCore"/>
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>


</configuration>

Add this web.config to your net core application's root folder.

Then it will remove the x-powered-by header.

The result like this:


  • In addition to @Brando Zhang answer, To remove "Server:Kestrel" from response header:

-.NET Core 1

 var host = new WebHostBuilder()
        .UseKestrel(c => c.AddServerHeader = false)
        .UseContentRoot(Directory.GetCurrentDirectory())
        .UseIISIntegration()
        .UseStartup<Startup>()
        .Build();

-NET Core 2

WebHost.CreateDefaultBuilder(args)
               .UseKestrel(c => c.AddServerHeader = false)
               .UseStartup<Startup>()
               .Build();

If you don't want to create a web.config file in a ASP.NET Core solution, you can remove the X-Powered-By header in IIS Manager.

Click on <ServerName> --> HTTP Response Headers --> X-Powered-By and choose the Remove action.

This will remove the header for all websites on that server. Which is fine because why would you want to share that info in the first place?


As an alternative option to the answers above you can use a configuration transformation. That way the web.config will still be generated via the dotnet publisher sdk but can be mixed with specific tags such as the header removal.

In the root of the project create a new web.Release.config file as such:

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <location>

    <!-- To customize the asp.net core module uncomment and edit the following section. 
    For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
    <system.webServer>
      <httpProtocol xdt:Transform="InsertIfMissing">
        <customHeaders>
          <remove name="X-Powered-By" />
        </customHeaders>
      </httpProtocol>
    </system.webServer>

  </location>
</configuration>

Note that this is a transformation file, not the actual web.config file.


Comments

  1. Reed

    • 2018/7/30

    . This will remove the header for all websites on that server.

  2. Jose

    • 2017/2/7

    If you don't want to create a web.config file in a ASP.NET Core solution, you can remove the X-Powered-By header in IIS Manager. Click on <ServerName> --> HTTP Response Headers --> X-Powered-By and choose the Remove action.

  3. Howard

    • 2019/7/20

    As far as I know, the removal of these headers is facilitated with the Request Filtering module, which is part of IIS. To remove a header, 

  4. Malakhi

    • 2019/9/10

    If you don't want to create a web.config file in a ASP.NET Core solution, you can remove the X-Powered-By header in IIS Manager. Click on <ServerName> --> HTTP Response Headers --> X-Powered-By and choose the Remove action. This will remove the header for all websites on that server.

  5. Hernandez

    • 2018/12/14

    I'm deploying a webapi (.net core 3.1) in Azure. I read this articles How to remove x-powered-by header in .net core 2.0 and Remove HTTP 

  6. Garrett

    • 2020/7/29

    In ASP.NET Core there is simple way to hide this information. In program.cs file add this line to set AddServerHeader to false. If site is running on IIS you can add code to remove Header in web.config file. To remove X-Powered just add this code in web.config. That’s it. Simple step to safeguard your application.

  7. Giovanni

    • 2015/8/7

    If you don't want to create a web.config file in a ASP.NET Core solution, you can remove the X-Powered-By header in IIS Manager. Click on <ServerName> --> HTTP 

  8. Luka

    • 2019/4/17

    We're running a 1.0.0-rc2-16357 mvc application in an Azure web app. This application is deployed through a slightly patched version of the kudu generated deploy.cmd script. ` What would be the recommended way to remove the "X-Powered-By

  9. Kaison

    • 2016/11/4

    config, middleware and in Program.cs for my ASP.NET Core 2.1 sites and neither header is emitted.

  10. Robert

    • 2019/6/25

    Open the site which you would like to open and then click on the HTTP Response Headers option. Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response. 2. Using URLRewite Rule. Please note that it will not remove the header all together but it will remove the value of it. Step 1. Install URLRewrite.

  11. Trace

    • 2017/1/23

    How to save bandwidth by removing X-headers from Sitecores HTTP responses. To remove the X-Powered-By HTTP header from each response from ASP.NET 

  12. Cole

    • 2019/5/12

    There is no easy way to remove the "Server" response header via configuration, but you can implement an HttpModule to remove specific HTTP Headers as described in Cloaking your ASP.NET MVC Web Application on IIS 7 and in how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7.

  13. Dawson

    • 2019/10/18

    In ASP.NET Core there is simple way to hide this information. · If site is running on IIS you can add code to remove Header in web.config file.

  14. Killian

    • 2018/5/20

    Cómo eliminar el encabezado x-powered-by en .net core 2.0 Headers.Remove("Server"); // For security reasons } if (ctx.Response.Headers.

  15. Maxwell

    • 2015/8/5

    Each page in an MVC application I'm working with sets these HTTP headers in responses: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 

Comments are closed.

Recent Posts