Remove header information from responses sent by your website

Abstract

Remove header information from each response sent by your website to improve security.

You can improve security and save a small amount of bandwidth if you remove the header information from each response sent by your website.

These headers contain a number of infrastructure details about the framework that is used on your website that you do not need to publicize.

Note

SXA removes the header information by default.

This topic describes how to:

Remove the X-Aspnet-Version HTTP header
Remove the X-Powered-By HTTP header
Remove the X-AspNetMvc-Version HTTP header

Remove the X-Aspnet-Version HTTP header

If you remove the X-Aspnet-Version HTTP header information from each webpage, you save a little bandwidth and ensure that you are not publicizing which version of ASP.NET you are using.

To remove the X-Aspnet-Version HTTP header from each response from ASP.NET, add the following code to the web.config file.

  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>

For more information, see the dotnetperls website.

Remove the X-Powered-By HTTP header

If you remove the X-Powered-By HTTP header, you are not publicizing which version of ASP.NET you are using.

To remove the X-Powered-By HTTP header from each response from ASP.NET, add the following code to the web.config file:

  <system.webServer>
<httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>