The image below is too often the case when visiting websites and looking at the request thru common browser tools such as Webkit Inspector, FireBug, Fiddler and the like.

Update: @JoelMartinez pointed out on twitter that X- headers are being deprecated which is yet another reason to get rid of these headers.

However, there are unintended consequences with broadcasting too much information, that can create security opportunities for bad guys looking for exploits.

Security expert Troy Hunt has a good post on the why you should hide such response headers.

If you’re are using ASP.NET and ASP.NET MVC on Windows, there are 4 response headers that you will want to get rid off.

Server: Server: Microsoft-IIS/7.0 Power by: X-Powered-By: ASP.NET ASP.NET version: 2.0.50727 ASP.NET MVC version: X-AspNetMvc-Version: 3.0

NOTE: Keep in mind your version numbers may vary depending on your enviroment.

Ok, so how do we get rid of them?

Simply add the following to the Globals.asax or class that inherits from HttpApplication.

If you want the code above without having to retype the image, I’ve created a gist that you can copy and paste.

You could also create a IHttpModule, subscribe to the PreSendRequestHeaders event and handle the same code there. See this forum post for details.

Not so fast!

As an astute reader you may have noticed the comments at the end of the lines above. While the method above might be the simplest to implement, but there are perhaps other slightly more ideal ways.

NOTE: Doing a look up into a NameValueCollection on a per request basis seems less than ideal. Perhaps there is no significant performance hit, but I would feel better turning this off globally.

Unfortunately, there is no easy way to remove the Server response header unless you have admin access to the IIS instance. Because having such access in production is rare for most developers, we will focus on the other 3.

For those who do have access a quick google search will likely yield screens shot on how to do this via the gui, Powershell or console commands on how to do this.

Who’s got the power?

First, to remove the X-Powered-By header in the Web.Config like so.

Inside the system.webServer make sure to add the httpProtocol section, then add the remove entry under customHeaders.

I prefer this method over the code centric way, since it can easily be modified without recompiling or having to redeploy. Additionally you can always add your own Powered-By as I’ve done on the screenshot for reference.

Adding your own it’s not required, but could be a nice touch to identify your product or perhaps to impress your boss/manager.

Hiding the Version

The ASP.NET version can also be removed via the web.config however, you must do so under the system.web section.

Did someone say MVC?

Finally, to disable the MVC version add the following line of code somewhere in your start up, usually Application_Start in your Global.asax.

Where are We?

Hopefully the techniques shown here will help you in hiding and or customizing your deployments when working with ASP.NET and MVC.