Removing excessive headers in ASP.NET MVC

In the course of hosting a website on Azure I thought it prudent that, as well as having followed developmental security practices, I ran a few automated security checks; especially since in the case of ASafaWeb it's a super simple process.

On the whole the website past muster, with only a few warnings being flagged of which only one was of relevance. This warning was due to the exposure of the following headers with every response, which detail the names and versions of the technologies that the website uses.

Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

Whilst this information isn't the decisive factor in whether a website is attacked or not it certainly aids the attacker in the reconnaissance of a potential target. With this being the case and the mitigation being so simple I've listed the changes one has to make to hide each of the headers.

Server header

Header you'll be preventing:

Server: Microsoft-IIS/10.0

Add the following requestFiltering element to your project's Web.config.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true"/>
    </security>
    ...
  </system.webServer>
  ...
</configuration>

In my case Visual Studio warned that "The removeServerHeader header is not allowed." however, as well as being a suggestion on the Azure Team's Blog, the website ran on both the local and Azure server without a problem and prevented the Server header.

removeServerHeader attribute not allowed warning

ASP.NET MVC version

Header you'll be preventing:

X-AspNetMvc-Version: 5.2

Add the following code to the project's Global.asax.cs file.

public class MvcApplication : System.Web.HttpApplication
{
    protected void Application_Start()
    {
        MvcHandler.DisableMvcResponseHeader = true;
    }
}

ASP.NET Version

Header you'll be preventing:

X-AspNet-Version: 4.0.30319

Add the following httpRuntime element to your project's Web.config.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <httpRuntime enableVersionHeader="false"/>
    ...
  </system.web>
</configuration>

Powered By ASP.NET

Header you'll be preventing:

X-Powered-By: ASP.NET

Add the following remove element to the customHeaders element in your project's Web.config.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    ...
  </system.webServer>
</configuration>