Reading Time: < 1 minute

Hardening ASP.NET Response Headers (Code)

A reliable way to harden your ASP.NET web application is to remove and skew the response headers via code. This will throw off automated scans that are performing banner grabbing in an attempt to identify vulnerabilities. There are ways to do this in IIS, however, performing this in code means it’s applied everywhere that the code is deployed. This may include UAT servers in the DMZ that could be exposed to external threats.

I learned this technique in an enterprise environment.

Setup

ASP.NET Web Application (.NET Framework 4.5.2)

Global.asax

protected void Application_PreSendRequestHeaders()
{
     Response.Headers.Set("Server", "FooServer");
     Response.Headers.Remove("X-AspNet-Version");
     Response.Headers.Set("X-Powered-By", "");
     Response.Headers.Remove("X-SourceFiles");
}

Http Module

public class HardeningHttpModule : IHttpModule
{
     public void Init(HttpApplication context)
     {
          context.PreSendRequestHeaders += OnPreSendRequestHeaders;
     }

     public void Dispose() { }

     void OnPreSendRequestHeaders(object sender, EventArgs e)
     {
          if (HttpContext.Current != null) {
               HttpContext.Current.Response.Headers.Set("Server", "FooServer");
          }            
     }
}

web.config

<system.webServer>
    <modules>
      <add name="HardeningHttpModule" type="WebApplication4.Modules.HardeningHttpModule" />
    </modules>

Verifying