protected void Application_PreSendRequestHeaders(object sender, EventArgs e)

{

HttpApplication app = sender as HttpApplication;

if (app != null && app.Context != null)

{

app.Context.Response.Headers.Remove("Server");

app.Context.Response.Headers.Remove("X-AspNet-Version");

app.Context.Response.Headers.Remove("X-AspNetMvc-Version");

}

}

<httpProtocol>

<customHeaders>

<remove name="X-Powered-By" />

<add name="X-Frame-Options" value="DENY"></add>

<add name="X-XSS-Protection" value="1; mode=block"></add>

<add name="X-Content-Type-Options" value="nosniff "></add>

</customHeaders>

</httpProtocol>





















Step By Step Example to remove unwanted headers from response

Keywords

HTTP Header Leaks

Secure Application to Prevent HTTP Header Leaks

Remove unwanted Header from Response

Remove HTTP Headers

Secure Asp.net Application





Security is important factor in an application development. We use different techniques to secure our application like Network Security, Application Security, Database Security etc.Theis a worldwide not-for-profit charitable organization focused on improving the security of software. They provide different set of instruction to secure a web applications.suggested to add and remove some useful HTTP headers for secure your applications.Today we are removing following HTTP headers from our request. So, User can’t identity our web server and technology which we are using. Its default headers added by .Net framework to Response. With this user can identify ouretc.When you will call any API from REST Client. In Response You will see above HTTP Headers added by .Net framework.You can use any REST Client to test you API. We are usingWe have two ways to remove HTTP Headers. Use Global.asax or Usefile.Use Global.asax’s Application_PreSendRequestHeaders event to remove Headers from HTTP Response.Some custom headers are not available intofile. You need to usefile to remove and add these headers.You can learn more about useful HTTP Header here -After implement you will see thatheaders removed from Response.