c#asp.net-core kestrel-http-server response-headers kestrel

How to remove Server Header in Asp.Net Core 2.2.1 Web App?

I'm using Asp.Net Core 2.2.1. I'm trying to remove the server Header from the response. I tried adding options.AddServerHeader = false; inside ConfigureKestrel(), but still unsuccessful. Please assist me on where I'm going wrong.

Here is my code:

Program.cs

    public class Program
    {
        public static void Main(string[] args)
        {
            CreateWebHostBuilder(args).Build().Run();
        }

        public static IWebHostBuilder CreateWebHostBuilder(string[] args)
        {
            return WebHost.CreateDefaultBuilder(args)
                .UseStartup<Startup>()
                .ConfigureKestrel((context,options) => {
                    // Set properties and call methods on options
                    options.AddServerHeader = false;
                });
        }
    }

Web.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <!-- To customize the asp.net core module uncomment and edit the following section. 
  For more info see https://go.microsoft.com/fwlink/?linkid=838655 -->
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <handlers>
      <remove name="aspNetCore" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="InProcess">
      <environmentVariables>
        <environmentVariable name="ASPNETCORE_HTTPS_PORT" value="44342" />
        <environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Development" />
      </environmentVariables>
    </aspNetCore>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Response Image

Thanks,

Abdul

Solution

Calling ConfigureKestrel with options.AddServerHeader = false; will only remove the server header if your application is running on Kestrel. When you are hosting your application on IIS/IISExpress, you need to add the web.config with the following settings:

<configuration> 
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

This line <requestFiltering removeServerHeader="true" /> will do the trick. In addition, you can also remove the custom headers, such as X-Powered-By, if you like by adding the customHeaders section under httpProtocol

Please make sure you have Request Filtering enabled

I hope this helps.