In this post, I will show how to remove the server header from ASP.NET Core 3.1. The fix is the same for other versions as well.
Are you looking for more security features from the below list to implement in the ASP.NET Core application?
- content-security-policy
- x-content-type-options: nosniff
- x-download-options: noopen
- x-frame-options: Deny
- x-ua-compatible: IE=edge,chrome=1
- x-xss-protection: 1; mode=block
Related Posts
- How to apply various Security Feature in ASP.NET Core application
- How to use TLS 1.2 in ASP.NET Core 2.0
Add required security code in the ASP.NET Core application to avoid exploitation by the hackers.
Let me walk you through the problem and the solution to it. Most of us create ASP.NET Core applications using the default template that is available from Visual Studio IDE. The created template does not have the security feature implemented by default.
You may create a brand new ASP.NET Core Web Application using the default template and run the default weatherforecast endpoint, you will see the below response.
Open the developers’ tool by pressing F12 on your keyboard.
Response header details for a given API endpoint
Response header has server details displayed which puts the web application gets exploited by the outside world.
Remove Server Header
The code shown below is in the “Program” class which is created by default.
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;
namespace KarthikTechBlog.SecurityFeatures.API
{
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup();
});
}
}
Fix is pretty small and easy. come, let’s fix it.
Code Fix
Add UseKestrel and specify AddServerHeader to false which is to make sure the server header is not sent in the API response.
webBuilder.UseKestrel((options) =>
{
// Do not add the Server HTTP header.
options.AddServerHeader = false;
});
Complete Code
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;
namespace KarthikTechBlog.SecurityFeatures.API
{
public class Program
{
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup();
webBuilder.UseKestrel((options) =>
{
// Do not add the Server HTTP header.
options.AddServerHeader = false;
});
});
}
}
Server header information removed
Related Resources
Conclusion
In this post, I showed how to remove the server header from ASP.NET Core 3.1. That’s all from this post. If you have any questions or just want to chat with me, feel free to leave a comment below.
This is not remove IIS Server.
Could You Please Tell How to remove IIS Sever Header
Hi Abu, are you asking how to remove “IIS” from the response header? you are seeing “IIS” in your API response header?
When we use UseKestrel then we cannot run our application in the IIS server. We want to remove serverHeader while running application in the IIS server.
The solution you mentioned above will not allow our application to run on IIS
Anyone figured out removing the Server info. from the Response Header without using UserKestrel option?