Removing .net/iis headers from the responses

Quick bullet points on this one, writing it down because I will need this in a few years again and will save myself time :)

Problem: you host your site on IIS and IIS adds SERVER header to all responses identifying the IIS version. You want to remove it. There are multiple ways to remove this, and a common example is adding a snippet of code in your app that removes it from the response.

I’ve found it’s best to remove it at the machine level. IIS uses ApplicationHost.config for base-level settings that all sites inherit. Here is a way to remove the unwanted headers using appcmd utility:

appcmd.exe set config -section:system.webserver/httpProtocol /-”customHeaders.[name=’X-Powered-By’]” /commit:apphost

The above removes X-Powered-By header by the asp.net hosted sites. And this removes Server header that IIS adds:

appcmd.exe set config -section:system.webServer/security/requestFiltering /removeServerHeader:true /commit:apphost

When you research this on the web, often you will get a suggestion to use URL Rewrite or registry modifications, etc. Such a pain … The best is to have the above calls as part of your image prep and keep the apps clean of the noise.