How to Remove IIS 10 Server Header in ASP.NET Core Web API for Enhanced Security


2 views

When deploying ASP.NET Core applications on IIS 10, the server header revealing detailed version information poses a significant security risk. Despite common mitigation attempts, this header often persists in responses.

The registry modification (DisableServerHeader=1) only affects http.sys module headers, not the IIS-specific version disclosure. Similarly, outbound rewrite rules in applicationHost.config might not fully suppress the header in all response scenarios.

For ASP.NET Core applications hosted on IIS, implement this middleware approach in your Startup.cs:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.Use(async (context, next) =>
    {
        context.Response.Headers.Remove("Server");
        await next();
    });

    // Other middleware configurations
    app.UseRouting();
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

Combine the middleware with this enhanced rewrite rule in web.config:

After implementation, verify using curl or Postman:

curl -I https://yourapi.example.com

The response should show no Server header or display a generic value. For complete removal of all server identifiers, consider additional security headers.

The middleware approach adds minimal overhead (typically <1ms per request) while providing robust header removal. For high-traffic applications, benchmark with and without the middleware during load testing.

While working with IIS 10 and ASP.NET Core 3.0 Web APIs, many developers encounter the security concern of version disclosure through the Server response header. The standard approaches often fail to completely remove this information, leaving your application vulnerable to targeted attacks.

The common suggestion to modify the DisableServerHeader registry key only affects the http.sys module, not the IIS-specific version information. This partial solution explains why many developers still see the "Server: Microsoft-IIS/10.0" header despite their configuration attempts.

The solution requires modifying the applicationHost.config file with proper rewrite rules. Here's the complete implementation that actually works:


<system.webServer>
    <rewrite>
        <outboundRules rewriteBeforeCache="true">
            <rule name="Remove Server header">
                <match serverVariable="RESPONSE_Server" pattern=".*" />
                <action type="Rewrite" value="" />
            </rule>
            <rule name="Remove X-Powered-By">
                <match serverVariable="RESPONSE_X-Powered-By" pattern=".*" />
                <action type="Rewrite" value="" />
            </rule>
        </outboundRules>
    </rewrite>
</system.webServer>

For additional security, implement this middleware in your Startup.cs:


public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.Use(async (context, next) =>
    {
        context.Response.Headers.Remove("Server");
        context.Response.Headers.Remove("X-Powered-By");
        await next();
    });

    // Other middleware configurations
}

After implementing these changes, verify the headers are removed by either:

  • Using browser developer tools (Network tab)
  • Running curl -I yourdomain.com
  • Using Postman or similar API testing tools

While removing the Server header improves security, consider these complementary measures:

  • Implement proper CORS policies
  • Add security headers like X-Content-Type-Options, X-Frame-Options
  • Configure HSTS for HTTPS sites
  • Regularly update IIS and .NET Core runtime