How to Hide Header Values in ASP.NET Core MVC Web Applications

Server Header

We can remove the Server header by adding the line “UseKestrel(c => c.AddServerHeader = false)” in the CreateWebHostBuilder method in the Program.cs class.

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
  WebHost.CreateDefaultBuilder(args)
    .UseKestrel(c => c.AddServerHeader = fasle)
    .UserStartUp<Startup>();

X-Powered-By Header

To remove the X-Powered-By header, we need to add a web configuration file, and in that web config file, we need to add an element that removes the X-Powered-By element under <system.webServer>.

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

X-Aspnet-Version Header

To remove the X-Aspnet-Version header, make the following change in the web configuration file:

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

X- AspnetMvc-Version Header

To remove the X-AspnetMvc-Version header, add the following line where the application starts in Global.aspx:

protected void Application_Start(object sender, EventArgs e)
{
  MvcHandler.DisableMvcResponseHeader = true;
}