How to remove the server header from ASP.NET Core 3.1
How to remove the server header from ASP.NET Core 3.1

In this post, I will show how to remove the server header from ASP.NET Core 3.1. The fix is the same for other versions as well.

Are you looking for more security features from the below list to implement in the ASP.NET Core application?

  • content-security-policy
  • x-content-type-options: nosniff
  • x-download-options: noopen
  • x-frame-options: Deny
  • x-ua-compatible: IE=edge,chrome=1
  • x-xss-protection: 1; mode=block

Related Posts

Add required security code in the ASP.NET Core application to avoid exploitation by the hackers.

Let me walk you through the problem and the solution to it. Most of us create ASP.NET Core applications using the default template that is available from Visual Studio IDE. The created template does not have the security feature implemented by default.

You may create a brand new ASP.NET Core Web Application using the default template and run the default weatherforecast endpoint, you will see the below response.

Open the developers' tool by pressing F12 on your keyboard.


Response header details for a given API endpoint

Response header has server details displayed which puts the web application gets exploited by the outside world.

Remove Server Header

The code shown below is in the "Program" class which is created by default.

using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;

namespace KarthikTechBlog.SecurityFeatures.API
{
    public class Program
    {
        public static void Main(string[] args)
        {
            CreateHostBuilder(args).Build().Run();
        }

        public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseStartup();
                });
    }
}

Fix is pretty small and easy. come, let's fix it.

Code Fix

Add UseKestrel and specify AddServerHeader to false which is to make sure the server header is not sent in the API response.

webBuilder.UseKestrel((options) =>
                    {
                        // Do not add the Server HTTP header.
                        options.AddServerHeader = false;
                    });

Complete Code

using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Hosting;

namespace KarthikTechBlog.SecurityFeatures.API
{
    public class Program
    {
        public static void Main(string[] args)
        {
            CreateHostBuilder(args).Build().Run();
        }

        public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseStartup();
                    webBuilder.UseKestrel((options) =>
                    {
                        // Do not add the Server HTTP header.
                        options.AddServerHeader = false;
                    });
                });
    }
}

How to remove the server header from ASP.NET Core

Server header information removed

Related Resources

Conclusion

In this post, I showed how to remove the server header from ASP.NET Core 3.1. That’s all from this post. If you have any questions or just want to chat with me, feel free to leave a comment below.

4 thoughts on “How to remove the server header from ASP.NET Core 3.1

      1. When we use UseKestrel then we cannot run our application in the IIS server. We want to remove serverHeader while running application in the IIS server.
        The solution you mentioned above will not allow our application to run on IIS

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights