As we see security as a top priority, for every new application that we put in production, we let it be penetration tested first. One remark we got with the last pen test was about the information our servers inadvertently revealed through HTTP response headers. Although I think it is not the biggest possible security issue, exposing details about their technology stack through headers like Server and X-Powered-By, gives some reconnaissance information to potential attackers for free.
n this post, we'll explore why you should hide these headers and demonstrate several methods to remove or customize them in ASP.NET Core applications.
 |
| Generated with Bing Image Creator |
Why hide server headers?
Server identification headers might seem harmless, but they can pose security risks:
Information Disclosure: Headers like Server: Kestrel or X-Powered-By: ASP.NET immediately tell attackers what technology stack you're using, making it easier for them to target known vulnerabilities.
Reconnaissance: Attackers often perform reconnaissance by scanning for specific server signatures to identify potential targets running vulnerable versions of software.
Security through obscurity: While not a primary security measure, hiding server information adds an extra layer of obscurity that can deter automated attacks and script kiddies.
Removing these headers in ASP.NET Core
Turns out that it not so simple to remove these headers from your ASP.NET Core application. Our first naive attempt was through a custom middleware:
However it turned out that this didn’t work and both headers were still there.
Some further research brought us to 2 solutions that work as expected. Depending on the hosting platform(Kestrel vs IIS) choose one or the other:
Remove 'Server' header when using Kestrel
You can configure Kestrel to not add the Server header at all by modifying the server options:
Remove 'Server' header and 'X-Powered-By' header when using IIS
When hosting on IIS, you'll need to configure the web.config file to remove IIS-specific headers: