And I tried wiring it up both as the first and last handler in my HttpConfiguration. In both cases, the Headers collection was empty (suggesting they had not been populated by the pipleline yet). I've read about how to do this via configuration in IIS/web.config
for some of them but I'd prefer to do it in code.
This is clearly not possible. Custom headers added by IIS at the last step before sending the response to the client. ASP.NET pipeline work has long finished before this
Turns out it can be done programmatically in a single location (but it does require configuration of a module). For those interested, check out this excellent blog post:
Good find, but seems like a PITA. In your app are you not able to drop in the config value to disable the header?
I would hardly call setting up a new module a PITA. Here is my adapted code:
public class ResponseHeaderRemoverHttpModule : IHttpModule
{
private static readonly string[] headers = new[] { "Server", "X-AspNet-Version", "X-Powered-By" };
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += (sender, eventArgs) => headers.ForEach(header => context.Response.Headers.Remove(header));
}
public void Dispose()
{
}
}
Note, I have a created an extension method to support ForEach. So this won't compile if you just copy paste. And of course, this module needs to be wired up in web.config. But that's it. Super simple. Also, to answer your question directly, no, web.config
changes alone are not sufficient to eliminate all three of the headers. You can only eliminate the "X-*" headers. The "Server" header cannot be removed through configuration.
And for those of you that are not inclined to create a custom HttpModule, you can wire up this event in your global.asax as well.
DPeden
Member
14 Points
16 Posts
Is it possible to programmatically remove the custom ASP.NET headers?
May 13, 2012 09:57 PM|LINK
I tried creating the following handler:
public class RemoveMicrosoftResponseHeadersHandler : DelegatingHandler { protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { return base.SendAsync(request, cancellationToken).ContinueWith( task => { HttpResponseMessage response = task.Result; response.Headers.Remove("Server"); response.Headers.Remove("X-AspNet-Version"); response.Headers.Remove("X-Powered-By"); return response; } ); } }And I tried wiring it up both as the first and last handler in my HttpConfiguration. In both cases, the Headers collection was empty (suggesting they had not been populated by the pipleline yet). I've read about how to do this via configuration in IIS/web.config for some of them but I'd prefer to do it in code.
Is there a solution?
BrockAllen
All-Star
28042 Points
4991 Posts
MVP
Re: Is it possible to programmatically remove the custom ASP.NET headers?
May 13, 2012 10:02 PM|LINK
You can remove this in IIS. Under your server -> HTTP Response Headers and remove it from the list.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
DPeden
Member
14 Points
16 Posts
Re: Is it possible to programmatically remove the custom ASP.NET headers?
May 13, 2012 10:07 PM|LINK
Brock, my question was how to do this in code, not configuration, as clearly stated in my original post and title.
BrockAllen
All-Star
28042 Points
4991 Posts
MVP
Re: Is it possible to programmatically remove the custom ASP.NET headers?
May 13, 2012 10:09 PM|LINK
Right, and I think this is something that is outside of your app and thus only doable from IIS.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
aliostad
Member
228 Points
55 Posts
Re: Is it possible to programmatically remove the custom ASP.NET headers?
May 13, 2012 10:27 PM|LINK
This is clearly not possible. Custom headers added by IIS at the last step before sending the response to the client. ASP.NET pipeline work has long finished before this
DPeden
Member
14 Points
16 Posts
Re: Is it possible to programmatically remove the custom ASP.NET headers?
May 13, 2012 10:36 PM|LINK
Alright, thanks anyway.
DPeden
Member
14 Points
16 Posts
Re: Is it possible to programmatically remove the custom ASP.NET headers?
May 14, 2012 01:37 AM|LINK
Turns out it can be done programmatically in a single location (but it does require configuration of a module). For those interested, check out this excellent blog post:
http://consultingblogs.emc.com/howardvanrooijen/archive/2009/08/25/cloaking-your-asp-net-mvc-web-application-on-iis-7.aspx
BrockAllen
All-Star
28042 Points
4991 Posts
MVP
Re: Is it possible to programmatically remove the custom ASP.NET headers?
May 14, 2012 01:04 PM|LINK
Good find, but seems like a PITA. In your app are you not able to drop in the config value to disable the header?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
DPeden
Member
14 Points
16 Posts
Re: Is it possible to programmatically remove the custom ASP.NET headers?
May 14, 2012 03:32 PM|LINK
I would hardly call setting up a new module a PITA. Here is my adapted code:
public class ResponseHeaderRemoverHttpModule : IHttpModule { private static readonly string[] headers = new[] { "Server", "X-AspNet-Version", "X-Powered-By" }; public void Init(HttpApplication context) { context.PreSendRequestHeaders += (sender, eventArgs) => headers.ForEach(header => context.Response.Headers.Remove(header)); } public void Dispose() { } }Note, I have a created an extension method to support ForEach. So this won't compile if you just copy paste. And of course, this module needs to be wired up in web.config. But that's it. Super simple. Also, to answer your question directly, no, web.config changes alone are not sufficient to eliminate all three of the headers. You can only eliminate the "X-*" headers. The "Server" header cannot be removed through configuration.
And for those of you that are not inclined to create a custom HttpModule, you can wire up this event in your global.asax as well.
BrockAllen
All-Star
28042 Points
4991 Posts
MVP
Re: Is it possible to programmatically remove the custom ASP.NET headers?
May 14, 2012 03:36 PM|LINK
Ok, so that's the rub -- there were other headers that were not controlled from config. Anyway, nice follow up.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/