The less you give to hackers, the safer your web application is. Hiding the product, technology, and version information of your server is one big step towards narrowing the attack surface of your application.
By default, IIS server will reveal this data to everyone who has access to your application:
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
This data can be viewed by a proxy such as Fiddler.
You can remove these headers by add a few lines into web.config and Global.asax files. You don’t need to do any configuration changes in IIS if you are using IIS 7 or an upper version.
.
Remove “Server” header
Add this method into Global.asax:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { HttpContext.Current.Response.Headers.Remove("Server"); }
Add this line into Application_Start in Global.asax:
PreSendRequestHeaders += Application_PreSendRequestHeaders;
.
Remove “X-AspNet-Version” header
Add this line into web.config:
<system.web> <httpRuntime enableVersionHeader="false" /> ... </system.web>
.
Remove “X-Powered-By” header
Add this line into web.config:
<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> ... </system.webServer>
.
References