How to remove the server header from ASP.NET Core 3.1

KarthikKannan — Sun, 03 May 2020 00:46:21 +0000

In this post, I will show how to remove the server header from ASP.NET Core 3.1. The fix is the same for other versions as well.

Are you looking for more security features from the below list to implement in the ASP.NET Core application?

content-security-policy
x-content-type-options: nosniff
x-download-options: noopen
x-frame-options: Deny
x-ua-compatible: IE=edge,chrome=1
x-xss-protection: 1; mode=block

Add required security code in the ASP.NET Core application to avoid exploitation by the hackers.

Let me walk you through the problem and the solution to it. Most of us create ASP.NET Core applications using the default template that is available from Visual Studio IDE. The created template does not have the security feature implemented by default.

You may create a brand new ASP.NET Core Web Application using the default template and run the default weatherforecast endpoint, you will see the below response.

Open the developers’ tool by pressing F12 on your keyboard.

Response header details for a given API endpoint

Response header has server details displayed which puts the web application gets exploited by the outside world.

Remove Server Header

The code shown below is in the “Program” class which is created by default.

using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;

namespace KarthikTechBlog.SecurityFeatures.API
{
    public class Program
    {
        public static void Main(string[] args)
        {
            CreateHostBuilder(args).Build().Run();
        }

        public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseStartup();
                });
    }
}

Fix is pretty small and easy. come, let’s fix it.

Code Fix

Add UseKestrel and specify AddServerHeader to false which is to make sure the server header is not sent in the API response.

webBuilder.UseKestrel((options) =>
                    {
                        // Do not add the Server HTTP header.
                        options.AddServerHeader = false;
                    });

Complete Code

using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;

namespace KarthikTechBlog.SecurityFeatures.API
{
    public class Program
    {
        public static void Main(string[] args)
        {
            CreateHostBuilder(args).Build().Run();
        }

        public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseStartup();
                    webBuilder.UseKestrel((options) =>
                    {
                        // Do not add the Server HTTP header.
                        options.AddServerHeader = false;
                    });
                });
    }
}

Server header information removed

Related Resources

Conclusion

In this post, I showed how to remove the server header from ASP.NET Core 3.1. That’s all from this post. If you have any questions or just want to chat with me, feel free to leave a comment below.

The post How to remove the server header from ASP.NET Core 3.1 appeared first on Learn Smart Coding.