Is it possible to remove the Server Response header in a ASP.NET Core 2.1 application (running on Server 2016 with IIS 10)?
I tried putting the following in the web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="sameorigin" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<remove name="X-Powered-By" />
<remove name="Server" />
</customHeaders>
</httpProtocol>
</system.webServer>
The first four alterations to the Response worked fine, but the Server header was not removed. I still see "Kestrel"
The Kestrel Server header gets added too late in the request pipeline. Therefore removing it via the web.config or via middleware is not possible.
You can remove the Server header by setting the AddServerHeader property to false
on KestrelServerOptions
, this can be done in the Program.cs.
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseKestrel(options => options.AddServerHeader = false)
.UseStartup<Startup>();