By default IIS and ASP.NET add a couple informational HTTP Headers to a response. They add extra traffic and give away security information like ASP.NET version, IIS version etc. To see the HTTP Header you can use a proxy tool like Fiddler or Live HTTP Header. The example below is for a regular ASP.NET site.
Removing the X-Powered-By Header
Open up IIS Manager, choose your site and go to HTTP Response Headers. Here you’ll see X-Powered-By being inherited. You can either remove it only for this site or for all sites on this server (select the server name in IIS Manager and HTTP Response Headers).
You can also do this in your sites web.config.
<system.webServer> ... <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> ... </system.webServer> |
Removing the Server Header
To remove this HTTP Header we need to create a custom HTTP Module.
using System; using System.Web; namespace MyNamespace { public class HttpHeadersCleanup : IHttpModule { public void Init(HttpApplication context) { context.PreSendRequestHeaders += PreSendRequestHeaders; } private static void PreSendRequestHeaders(object sender, EventArgs e) { HttpContext.Current.Response.Headers.Remove("Server"); } public void Dispose() { } } } |
You also need to register the HTTP Module in your sites web.config.
<system.webServer> ... <modules runAllManagedModulesForAllRequests="true"> <add name="HttpHeadersCleanup " type="MyNamespace.HttpHeadersCleanup, MyAssembly"/> </modules> ... </system.webServer> |
Removing the ETag Header
For more information on ETag see: HTTP ETag.
To remove ETag you need to add the code below to the HTTP Module described previously.
HttpContext.Current.Response.Headers.Remove("ETag"); |
Removing the X-Aspnet-Version Header
To remove this HTTP Header you simply set enableVersionHeader to false in your sites web.config.
<system.web> ... <httpRuntime enableVersionHeader="false" /> ... </system.web> |
Or by removing it in the HTTP Module:
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version"); |
Here’s how the HTTP Headers look now:
Related Posts:
- Detecting Ajax requests on the server
- Part 8: Preparing for launch – Create an EPiServer site from scratch
- Faster EPiServer sites – client side performance
- Part 1: Setting up the development environment – Create an EPiServer site from scratch
- Getting the Page and EPiServer CurrentPage object from HttpContext