Removing Unnecessary HTTP Headers in IIS and ASP.NET
By Scott Mitchell
Introduction
Whenever a browser makes an HTTP request to a web server, it sends along several HTTP headers. These HTTP Headers are used to provide the web server with information to assist with handling the request. For instance, if the browser supports compression it will send along an
Accept-Encoding HTTP Header, which lets the web
server know what compression algorithms the browser can work with. Any cookies previously set by the web server are sent from the browser back to the server via the Cookies
HTTP Header. The browser also sends the User-Agent HTTP Header, which the web server can parse to determine the browser (IE, Firefox, Safari, etc.), the version
number, the operating system, and other information.
Similarly, the web server includes a number of HTTP Headers when it sends back the contents of the requested resource. These headers are used by the browser to determine how
to render the content and for how long to cache the content. The web server also sends back identifying information, much like the User-Agent request HTTP Header.
These identifying headers indicate the web server version along with the ASP.NET version(s) being used.
While certain HTTP Headers are necessary, the web server's identifying HTTP Headers are not necessary. Their inclusion inflates each HTTP response by around 100 bytes. Granted, 100 bytes is not much when taken alone, but when taken in the context of thousands or millions of requests over the course of time, those 100 bytes add up. Furthermore, providing identifying information can pose a security risk. An attacker who knows of a vulnerability in a particular web server and ASP.NET version combination could hunt for targets making HTTP requests to many different servers and flagging those that return the particular web server/ASP.NET version numbers.
This article looks at how to remove these identifying HTTP Headers in both IIS 6 and IIS 7. Read on to learn more!
Inspecting the Web Server's Response HTTP Headers
In order to examine the HTTP Headers sent from your browser to a web server and those returned from a web server back to the browser, you need to install a program or browser add-on that exposes such data. Fiddler is a free, stand-alone application from Microsoft that logs all HTTP (and HTTPS) traffic from your computer. This logged data includes the response and requests HTTP Headers, among other useful data. For this article I assume the reader is already familiar with Fiddler; if this is not the case, take a moment to read Troubleshooting Website Problems by Examining the HTTP Traffic, which details how to install and use Fiddler.
Using Fiddler, visit a website that you know is powered by Microsoft's IIS web server and ASP.NET technology, such as Microsoft's official ASP.NET website. By default, such websites will include three identifying HTTP Headers:
Server- specifies what web server version is being used. Examples of this header/value pair include:Server: Microsoft-IIS/6.0Server: Microsoft-IIS/7.0
X-Powered-By- indicates that the website is "powered by ASP.NET."- X-Powered-By: ASP.NET
X-AspNet-Version- specifies the version of ASP.NET being used. Note that this value returns the core framework version, meaning that even if you are using ASP.NET 3.5 theX-AspNet-Versionheader will report version 2.0. Possible values include:X-AspNet-Version: 2.0.50727X-AspNet-Version: 1.1.4322
X-AspNetMvc-Version- specifies the version of ASP.NET MVC being used (if any). Possible values include:X-AspNetMvc-Version: 1.0
Removing the X-AspNet-Version HTTP Header
The
X-AspNet-Version HTTP Header broadcasts to the world what version of ASP.NET is being used by your web server. Removing this header is a cinch - simply add
the following content inside the <system.web> element in your application's Web.config file:
<httpRuntime enableVersionHeader="false" />
|
That's all there is to it!
Removing the X-AspNetMvc-Version HTTP Header
The
X-AspNetMvc-Version HTTP Header is automatically added by the ASP.NET MVC framework. If you are not using ASP.NET MVC then this header won't be present.
However, if you are using ASP.NET MVC and want to remove this header you can do so by setting the MvcHandler
class's DisableMvcResponseHeader property to
True in the Application_Start event handler in Global.asax like so:
// C#
|
Removing the X-Powered-By HTTP Header
The
X-Powered-By HTTP Header is not unique to ASP.NET. Other server-side programming technologies, such as PHP, routinely include such an HTTP Header.
When ASP.NET is installed it adds X-Powered-By: ASP.NET as a custom header in IIS. Consequently, we need to remove this header from IIS's configuration.
If your website is hosted in a shared environment and is not using IIS 7 and the integrated pipeline, you may need to contact your web host provider and ask them to
remove this header for you. (If your website is hosted on IIS 7 and uses the integrated pipeline you can programmatically remove the X-Powered-By header
- and other identifying headers - via an HTTP Module. See the Removing the Server HTTP Header section later on in this article for more details.)
To remove the X-Powered-By header from IIS 6...
- Launch the Internet Information Services (IIS) Manager
- Expand the Web Sites folder
- Right-click on the website to modify and choose Properties from the context menu
- Select the HTTP Headers tab. The Custom HTTP Headers box lists all of the
HTTP Headers IIS will include on each response (see the screen shot below). To remove a header, select it and click the Remove
button.
X-Powered-By header from IIS 7...
- Launch the Internet Information Services (IIS) Manager
- Expand the Sites folder
- Select the website to modify and double-click the HTTP Response Headers section in the IIS grouping.
- Each custom header is listed here, as the screen shot below shows. Select the header to remove and click the Remove link in the right-hand column.
Removing the Server HTTP Header
The
Server header is automatically added to the outgoing response by IIS. To remove this header from IIS 6 or IIS 7 you can use Microsoft's free
UrlScan utility.
If you are using IIS 7's integrated pipeline, you can alternatively remove the Server header programmatically by means of an HTTP Module. Stefan
Grobner's blog entry, IIS 7 - How To Send A Custom "Server" HTTP Header,
shows code that modifies the Server header. In a nutshell, you need to create an HTTP Module that creates an event handler for the
PreSendRequestHeaders event. In that event handler
you'd write code similar to the following to remove the Server header:
HttpContext.Current.Response.Headers.Remove("Server");
|
Howard von Rooijen has a similar, more in-depth account of removing the Server HTTP Header (and other identifying headers) via an HTTP Module when using IIS 7
and its integrated pipeline mode. See Cloaking
your ASP.NET MVC Web Application on IIS 7 for more details.
Conclusion
Removing identifying response headers has two benefits:
- It slims down the quantity of data transmitted from the web server back to the browser, and
- It makes it a bit harder for attackers to determine the software (and their versions) that are powering the web server.
Server, X-Powered-By, X-AspNet-Version, and X-AspNetMvc-Version HTTP headers provide no direct benefit and unnecessarily
chew up a small amount of bandwidth. Fortunately, these response headers can be removed with some configuration changes.
Happy Programming!