How to Remove IIS Server, ASP.NET Version, and MVC Headers for Security Hardening


2 views

While removing server version headers won't make your application completely secure (security through obscurity isn't real security), it's often required by security audits to reduce attack surface. Many penetration testing frameworks like Metasploit specifically look for these headers to fingerprint vulnerable systems.

For IIS 6.0, you'll need to modify the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader"=dword:00000001

After making this change, restart the HTTP service:

net stop http /y
net start w3svc

For ASP.NET 2.0, add this to your web.config:

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

For MVC applications, you'll need to remove the header in Application_Start:

protected void Application_Start()
{
    MvcHandler.DisableMvcResponseHeader = true;
    // Alternative method if above doesn't work:
    // RemoveMvcVersionHeader();
}

private void RemoveMvcVersionHeader()
{
    var headers = HttpContext.Current.Response.Headers;
    headers.Remove("X-AspNetMvc-Version");
}

Use curl or Fiddler to verify headers are removed:

curl -I http://yourserver.com

Or create a simple test page:

<%@ Page Language="C#" %>
<% 
    Response.Write("Headers removed test");
    Response.End();
%>

For IIS 6.0, consider using URLScan (part of IIS Lockdown Tool) with these settings in urlscan.ini:

[Options]
RemoveServerHeader=1

Response headers like Server, X-AspNet-Version, and X-AspNetMvc-Version expose server platform details, which can be exploited by attackers. While obscurity isn't security, compliance often requires removing these headers.

For IIS 6.0, you'll need to modify the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader"=dword:00000001

Restart IIS (iisreset) after applying this change.

Add this to your web.config:

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

For MVC applications, add this in Application_Start():

protected void Application_Start()
{
    MvcHandler.DisableMvcResponseHeader = true;
    // Alternative for newer MVC versions:
    // System.Web.Mvc.MvcHandler.DisableMvcResponseHeader = true;
}

For complete control, create a custom HTTP module:

public class HeaderRemoverModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += RemoveHeaders;
    }

    private void RemoveHeaders(object sender, EventArgs e)
    {
        var app = (HttpApplication)sender;
        app.Context.Response.Headers.Remove("Server");
        app.Context.Response.Headers.Remove("X-AspNet-Version");
        app.Context.Response.Headers.Remove("X-AspNetMvc-Version");
    }

    public void Dispose() { }
}

Register it in web.config:

<system.webServer>
  <modules>
    <add name="HeaderRemoverModule" type="YourNamespace.HeaderRemoverModule" />
  </modules>
</system.webServer>

Use curl or browser dev tools to verify:

curl -I https://yoursite.com

Should show no server/version headers in response.

  • Consider removing other unnecessary headers like X-Powered-By
  • Implement proper CORS headers if needed
  • Review all custom headers for sensitive information