Delete unnecessary HTTP Response Headers in ASP. NET and IIS

Observe the HTTP Response Header of the Web Server

To see the HTTP header for communication between the server and the browser, you need to install some plug-ins in the browser. For example, Fiddler is a free software released by Microsoft to record HTTP logs. These HTTP logs will contain the HTTP header. In this article, I will assume that the reader is familiar with this software. If you are not familiar with this software, I recommend that you read troubleshooting website problems by examining the HTTP traffic. This article details how to install and use Fiddler.

Use Fiddler to find a web server that uses IIS and Asp.net, such as the official website of Microsoft Asp.net. Generally, by default, the HTTP response header contains three identification headers of the Web server.

• Server-specify the server and server version, for example:
  • Server: Microsoft-Microsoft IIS/6/0
  • Server: Microsoft-Microsoft IIS/7.0
• X-powered-by indicates that the site is "powered by Asp.net"
  • X-powered-by: ASP. NET
• X-ASPnet-version is used to specify the current Asp.net version. Note that even if you use Asp.net 3.5, 2.0 may be reported in X-ASPnet-version:
  • X-ASPnet-version: 2.0.50727
  • X-ASPnet-version: 1.1.4322
• X-aspnetmvc: Specifies the current version of Asp.net MVC (if Asp.net MVC is used ):
  • X-aspnetmvc-version: 1.0

These server identification information is not used by the browser in most cases, so it can be safely removed. The rest of this article will show how to remove these HTTP headers

Remove the X-ASPnet-version HTTP Header

The X-ASPnet-version HTTP header will tell the world the current Asp.net version used by our servers. Removing this HTTP header is simply a piece of cake, just on the web. <system. web> Add the following content under the node:

Is it very easy and pleasant?
Remove the X-aspnetmvc-version HTTP Header
The X-aspnetmvc-version HTTP header is automatically added to the Asp.net MVC Framework. If you do not use Asp.net MVC, this HTTP header does not exist. the method to remove this HTTP header is in global. asax'sApplication_StartEvent willMvchandler classSet the disablemvcresponseheader attribute to true.
// C#MvcHandler.DisableMvcResponseHeader = true;' VBMvcHandler.DisableMvcResponseHeader = True 
Remove the X-powered-by HTTP Header

X-powered-
The HTTP header does not only exist in Asp.net. Other server languages, such as PHP, also contain this HTTP header. When Asp.net is installed, this header will be customized.
The HTTP header is inserted into IIS. Therefore, we need to delete this HTTP header from the IIS configuration. If your website is in a shared environment and does not use iis7 and uses the MPs queue mode, you don't
You do not have to contact your space provider to remove it. (If your website is in the iis7 environment, you can remove it through programming in the form of HTTP module)
Remove the X-powered-by HTTP header from IIS6:

 

 
  
Start IIS Manager
 
  
Expand website directory
 
  
Right-click website and select Properties from the pop-up menu
 
  
Select the HTTP header label. All custom HTTP headers contained in the IIS response are displayed here. You only need to select the HTTP header of the response and click Delete to delete the HTTP header of the response ,:

 

In iis7, the method for removing the X-powered-by HTTP header is:

 

 
  
Start IIS Manager
 
  
Expand website directory
 
  
Select the site you want to modify and double-click the HTTP response header.
 
  
All custom HTTP headers are here. To delete the corresponding headers, you only need to click the "Remove" link on the right:

 

Remove the Server HTTP Header
This HTTP header is automatically appended to the current IIS. You can use Microsoft's free URLScan Tool to delete this HTTP header.
If you are using the iis7 integrated pipeline mode, you can also use the HTTP module to remove it programmatically. In stefan grobner's blog, IIS 7-how to send a custom "server" HTTP header this article details how to modify the Server HTTP header. simply put, you need to create an HTTP module andPresendrequestheaders event to create an event handler. The code in this event handler will be similar:
HttpContext.Current.Response.Headers.Remove("Server");  
Howard von rooijen's article further discusses how to remove the Server HTTP header in iis7 and integrated pipeline mode. For more details, see cloaking your asp. net MVC web application on IIS 7
Summary
Removing the server's own recognition Response Header has the following benefits:

 

 
  
This reduces the amount of data transferred between the server and the browser.
 
  
It makes it more difficult for hackers to attack the server, making the server stronger.

 
The preceding HTTP headers do not bring direct benefits, but increase the bandwidth load slightly. Fortunately, we can remove them through configuration.