• Published
  • 1 min

How to remove IIS server header from your Azure web app

By default, when hosting a web app in IIS two headers are exposed which do not show normally when developing locally.

Server: Microsoft-IIS/10.0

X-Provided-By: ASP.NET

This information can be used to find vulnerabilities in your system and is therefore not something you want to advertise to the world.

Place a web.config in your web project root folder.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <!-- Removes ASP.NET version header.  -->
       
<httpRuntime enableVersionHeader="false" />
    </system.web>
    <system.webServer>
        <security>
            <!-- Removes Server header. -->
           
<requestFiltering removeServerHeader="true" />
        </security>
        <httpProtocol>
            <customHeaders>
                <!-- Removes other unwanted headers. -->
               
<clear />
                <remove name="X-Powered-By" />
            </customHeaders>
            <redirectHeaders>
                <clear />
            </redirectHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>

Make sure it copies to output directory.

Right-click on your web.config file and select properties, make sure “Copy to output directory” is set to “Copy if newer” or “Copy always”

Publish your web app

You can test that your web.config is created as expected by executing “dotnet publish” in a terminal running in the same folder as your web project. Once published you can find your published files in {myWebProjectPath}\ bin\Debug\{dotNetVersion}\publish\ there you should see a web.config file. If you open it, you can see that it added a couple of more elements to your web.config, those are needed to properly run your web app in IIS.

If no extra elements were added, make sure that <IsTransformWebConfigDisabled> is either unset or set to false in your {webApp}.csproj file

Why a web.config?

Normally when you want to remove a header you do so during the .net middleware pipeline. This does however not work for IIS hosting headers because those headers are exposed by the IIS and not .NET. Because of that we need to configure the IIS settings, and we can do that by modifying the web.config file. This web.config file is created during dotnet publish. But by creating a custom web.config we can add more information to that config to further configure the IIS.