Remove Unwanted HTTP Headers in ASP.NET


In this article we will see how to remove unwanted HTTP headers and why we want to remove the headers.

Why we want to remove unwanted HTTP headers

If you are a developer/architect in web application development and someone asks about the "Technology", "Web Server" and "Framework version", then they didn't share with the outside world. But this information will be published via HTTP headers for each page request as shown in the following image.

Figure 1.jpg

Exposing this site information is really considered to be a security vulnerability. Hackers can easily understand your application and use the information in an attack.

How to remove unwanted HTTP headers

We will create a simple HTTP module and remove these headers.


First implement the "IHttpModule" interface and its methods, to create a costum HTTP module.

Figure 2.jpg

The "IHttpModule" interface has two methods and in the "Init" method implementation we will register an Event handler.

Figure 3.jpg

In the Event handler, we will just get the current HTTP response and remove the unwanted response header as shown below.

Figure 4.jpg

That's all from the module file, now we want to register this module in our application. We need to add the following tag in the "Web.Config" file.

Figure 5.jpg

If you are using the Integrated mode then configure your handlers & modules in system.webServer instead of system.web.

Now we will load the page and inspect the headers and we will see that the headers are removed except the "Powered-By".

Figure 6.jpg

Just add the following Key in the "Web.config" file, it'll remove the "Powered-By" header also.

Figure 7.jpg

If we run the page we see the final output.

Figure 8.jpg


In this article we will see how to remove the unwanted HTTP headers using Custom HTTP modules.