Remove Unwanted (Default) HTTP Response Headers in ASP.Net MVC

Views: 10055
Comments: 1
Like/Unlike: 1
Posted On: 24-Jun-2017 05:44

Share:

Rahul M...

Teacher

4822 Points

23 Posts

Inroduction
If you create a new ASP.NET MVC project, by default, you can see unwanted http response headers of any response from the page. None of these are necessary or helpful, and can even be harmful (it makes it very easy for potential attackers to identify the system, for example). In other word, ASP.NET application love to show world on which technology you are running.

Why we want to remove unwanted HTTP response headers?
If you are a developer/architect in web application development then you don't want to share the "Technology", "Web Server" and "Framework version" with the outside world. But In the ASP.NET application, by default, these information can be see in HTTP reponse headers for each page request as shown in the following image:

Here you can see following headers

Server:Microsoft-IIS/8.0
X-AspNet-Version:4.0.30319
X-AspNetMvc-Version:4.0
X-Powered-By:ASP.NET

The above headers are exposing the following information:

The type of web server details where our application is hosted.
The technology and the framework used for developing the application

Exposing all such details is really considered as security breach. These details are enough for the professional hackers to understand the application details and launch an attack.

How to remove unwanted http response headers?
These headers can be remove with different methods following:

1. Remove header 'Server':
In ASP.NET MVC application you can create a filter class as:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace MySolution.ActionFilter
{
    public class RemoveUnwantedHeaderAttribute : ActionFilterAttribute
    {
        public override void OnResultExecuted(ResultExecutedContext filterContext)
        {
            filterContext.HttpContext.Response.Headers.Remove("Server");
            base.OnResultExecuted(filterContext);
        }
    }
}

Add it globally in FilterConfig.cs as:

using System.Web;
using System.Web.Mvc;
using MySolution.ActionFilter;

namespace MySolution
{
    public class FilterConfig
    {
        public static void RegisterGlobalFilters(GlobalFilterCollection filters)
        {
            filters.Add(new HandleErrorAttribute());
            filters.Add(new RemoveUnwantedHeaderAttribute());
        }
    }
}

2. Remove header 'X-AspNet-Version':

This can be remove by changing web.config file as:

<system.web> 
 <httpRuntime maxRequestLength="1048576" targetFramework="4.5" enableVersionHeader="false"/>
</system.web>

3. Remove header 'X-AspNetMvc-Version':
Add MvcHandler.DisableMvcResponseHeader = true; to the Application_Start event in global.asax.cs file as:

public class MvcApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            AreaRegistration.RegisterAllAreas();
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterGlobalBundleConfig(BundleTable.Bundles);
            MvcHandler.DisableMvcResponseHeader = true; 
        }
        //will remove in api endpoints
        protected void Application_PreSendRequestHeaders()
        {
            Response.Headers.Remove("Server");
            Response.Headers.Remove("X-AspNet-Version");
        }
    }

4. Remove header 'X-Powered-By':
Add following key in web.config as:

<system.webServer> 
  <httpProtocol> 
    <customHeaders> 
      <remove name="X-Powered-By" />
    </customHeaders> 
  </httpProtocol> 
</system.webServer>

Now, Run application again, you can see these headers have disapeared.