Removing Server and x-powered-by HTTP headers in ASP .net core

Some HTTP headers like the “Server” header and the “x-powered-by” header disclose the used server technology. IIS and Kestrel by default add these headers. Removing these headers will make it for an attacker a little bit harder to guess the server that is running the application.

Kestrel by default adds the “Server: Kestrel” header and IIS by default adds the “X-powered-by” header and the server header.

X-powered by header

<system.webServer>
    <httpProtocol>
            <customHeaders>
                <remove name="X-Powered-By" />
            </customHeaders>
    </httpProtocol>
</system.webServer>

The Server header

Removing the “Server” HTTP header in Kestrel can be done in the startup file of the application.

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
        WebHost.CreateDefaultBuilder(args)
            .UseKestrel(options => options.AddServerHeader = false)
            .UseStartup<Startup>();

Removing the “server: IIS” HTTP header in IIS 10

Add this code to the “web.config” to disable the server header. This only works on the latest IIS( IIS 10 or later)

<system.webServer>
       <security>
          <requestFiltering removeServerHeader ="true"></requestFiltering>
       </security>
</system.webServer>

For nginx we can easily change it so the server header will not contain the version of nginx. By default the server header is populated with both the server name “nginx” and the running version number.

Set this in the nginx.conf file. Restart nginx for the changes to have effect.

server_tokens off;

Restart nginx

sudo service nginx restart.

If you want to also replace the server name(nginx) install nginx-extras.

sudo apt-get install nginx-extras

After the installation add this to nginx.conf file to replace the server name

more_set_headers 'Server: mystery';