Removal of Unnecessary HTTP Headers

Santosh.Impossible
Posted by in ASP.NET MVC category on for Beginner level | Points: 250 | Views : 3810 red flag
Rating: 4 out of 5  
 1 vote(s)

The main objective of this article is remove the unwanted HTTP headers that are there in the response headers section of a HTTP request.

Introduction

The main objective of this article is remove the unwanted HTTP headers that are there in the response headers section of a HTTP request.

Background

Few days before, while working on performance improvement changes of my application and started delving into the internals of HTTP request and response model. As usual, started creating a demo app using ASP.NET MVC 4 template with all the defaults and pressed F5 by setting chrome as my default browser.

The default Home page was displayed on the screen.  After opening the Developer Tools option for the chrome browser and navigating to the Network tab and refreshed the web page once more and saw the following:

Looking at the response headers section, it was surprised to see that a lot of information about the site is exposed to the external world.  From the above screenshot we can see that there are some unnecessary headers present under the response headers section.

Server: Microsoft-IIS/8.0
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.303319
X-Powered-By: ASP.NET

The above headers are exposing the following information:
The type of web server details where our application is hosted.
The technology and the framework used for developing the application

Exposing all such details is really considered as security breach. These details are enough for the professional hackers to understand the application details and launch an attack.

Imagine what would happen if such things are exposed incase of a banking, E-Commerce, Travels site where daily financial transactions take place. Our customers will be unhappy and will not trust us since it is a serious concern in context of security of the application. No one wants security to be compromised at any cost.

This is the theory behind this issue. Let’s go ahead to take the necessary steps to remove the unnecessary headers information from the response section.

Implementation

Open the demo app created for the above sample preparation.


Let us handle the process of removing the unnecessary headers step by step. In each step below, we will be looking into the action needed to be taken against each response header.

X-Powered-By: ASP.NET

In order to remove the X-Powered-By: ASP.NET header open the IIS Manager and navigate to the HTTP Response Headers section as shown in the below screenshot:


Right click on it and select the Open Feature option. 

Select the X-Powered-By header and right click on it and then select the Remove option. You are done now with removal of the X-Powered-By header.



We can also leverage the web.config file to accomplish the above change. Open the web.config file and update it with the following snippet:

<system.webServer>    
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By"/>
      </customHeaders>
    </httpProtocol>    
  </system.webServer>
X-AspNet-Version: 4.0.303319

Now let us go ahead to see the process used for removal of X-AspNet-Version. Open the main web.config file and paste the following snippet:

<system.web>
      <httpRuntime targetFramework="4.5" enableVersionHeader="false" />
</system.web>
Server: Microsoft-IIS/8.0
X-AspNetMvc-Version: 4.0

In order to remove the above headers create a folder: Utils and then add a class: RemoveUnnecessaryHeadersModule and inherit it from IHttpModule.

The module code should be as mentioned below:



Now we need to register the RemoveUnnecessaryHeadersModule in our application. In order to accomplish that open the web.config file and update it with the following snippet:

<modules>
 <!-- Remove Unnecessary HeadersModule-->
 <add name="RemoveUnnecessaryHeadersModule" type="DemoMVCApp.Utils.RemoveUnnecessaryHeadersModule"/>
    </modules>
  </system.webServer>
NOTE: The above snippet should be updated under the system.webServer tag in case you are using Integrated mode otherwise update it under the system.web tag.

X-AspNetMvc-Version: 4.0 can also be removed by using the Application_Start event of the Global.asax file. The code snippet is as mentioned below:



Now we are done with all the changes. It’s time to test the changes implemented above. 

Run the application once again using the chrome browser and open the Developer Tools option. Navigate to the Network tab and refresh the web page once more and check the headers under the response headers section. 



You can see in the above screenshot all the unnecessary headers are removed now from the response headers section.

Conclusion

That’s all we are done with accomplishing the task of removal of unnecessary headers now.

Page copy protected against web site content infringement by Copyscape

About the Author

Santosh.Impossible
Full Name: santosh patro
Member Level:
Member Status: Member
Member Since: 7/31/2010 7:22:29 AM
Country: India
santosh kumar patro
http://www.dotnetfunda.com
WebDeveloper

Login to vote for this post.

Comments or Responses

Posted by: Sheonarayan on: 5/14/2014 | Points: 25
Nice article Santosh.Keep it up!

Login to post response

Comment using Facebook(Author doesn't get notification)