In this article, we will see how to remove unwanted HTTP headers and why we want to remove the headers.
IntroductionIn this article we will see how to remove unwanted HTTP headers and why we want to remove the headers.Why we want to remove unwanted HTTP headersIf you are a developer/architect in web application development and someone asks about the "Technology", "Web Server" and "Framework version", then they didn't share with the outside world. But this information will be published via HTTP headers for each page request as shown in the following image.Exposing this site information is really considered to be a security vulnerability. Hackers can easily understand your application and use the information in an attack.How to remove unwanted HTTP headersWe will create a simple HTTP module and remove these headers.StepsFirst implement the "IHttpModule" interface and its methods, to create a custom HTTP module.The "IHttpModule" interface has two methods and in the "Init" method implementation we will register an Event handler. In the Event handler, we will just get the current HTTP response and remove the unwanted response header as shown below.That's all from the module file, now we want to register this module in our application. We need to add the following tag in the "Web.Config" file.If you are using the Integrated mode then configure your handlers & modules in system.webServer instead of system.web.Now we will load the page and inspect the headers and we will see that the headers are removed except the "Powered-By".Just add the following Key in the "Web.config" file, it'll remove the "Powered-By" header also.If we run the page we see the final output.SummaryIn this article, we will see how to remove the unwanted HTTP headers using Custom HTTP modules.
Diving Into ASP.NET WebAPI