Some response headers\u00a0reveal technical details about the server which\u00a0must be\u00a0removed. For example a sample response from an ASP.Net application may look like this<\/p>\n
![\"\"](\"https:\/\/www.netexl.com\/blog\/wp-content\/uploads\/2018\/11\/ASPNetResponse.png\")
<\/p>\n
In this response “Server”, “X-AspNet-Version”, “X-Powered-By” headers are revealing technical details about the server. We can\u00a0remove these\u00a0unnecessary IIS response headers as following<\/p>\n
Remove “X-Powered-By” Header<\/strong> – Open web.config and\u00a0check for\u00a0customHeaders tag. If this is not already there, then add it as child of “<httpProtocol>” and add “remove” entry for X-Powered-By as shown below<\/p>\n You should also check the response from your\u00a0Asp.Net application if this is using a shared hosting which may add additional server specific information to response headers. Add remove entry for all such headers in your web.config.<\/p>\n Remove “X-AspNet-Version” Header<\/strong> – In web.config file look for\u00a0<httpRuntime> under <system.web>.\u00a0 Add enableVersionHeader attribute and set its value to false.<\/p>\n Remove “Server” Header<\/strong> –\u00a0Add following line in\u00a0Application_BeginRequest\u00a0 method of Global.asax.cs<\/p>\n Add Security Headers in Response<\/strong> – Add additional security headers (X-Content-Type-Options<\/a>, X-Frame-Options<\/a>, X-XSS-Protection<\/a>) in response to harden security of the application. Add entries in web.config as following<\/p>\n If you are using iFrames in your website, you can set value of “X-Frame-Options” to “SAMEORIGIN”.<\/p>\n<configuration>\r\n <system.webServer>\r\n <httpProtocol>\r\n\t\t<customHeaders>\r\n\t\t\t<remove name=\"X-Powered-By\" \/>\r\n\t\t<\/customHeaders>\r\n <\/httpProtocol>\t \r\n <\/system.webServer>\r\n<\/configuration><\/pre>\n
<httpRuntime targetFramework=\"4.5\" enableVersionHeader=\"false\" \/>\r\n<\/pre>\n
protected void Application_BeginRequest(object sender, EventArgs e)\r\n{\r\n HttpContext.Current.Response.Headers.Remove(\"Server\");\r\n}<\/pre>\n<customHeaders>\r\n\t<remove name=\"X-Powered-By\" \/>\r\n <add name=\"X-Frame-Options\" value=\"DENY\" \/> \r\n <add name=\"X-XSS-Protection\" value=\"1; mode=block\" \/> \r\n <add name=\"X-Content-Type-Options\" value=\"nosniff \" \/> \r\n<\/customHeaders>\r\n<\/pre>\n