Platform Administration and Architecture

Remove header information from responses sent by your website

Abstract

How to save bandwidth by removing X-headers from Sitecores HTTP responses.

Applies to

All core roles

Sitecore Installation Framework

Header information not removed by default.

Azure Toolkit

Header information removed by default.

SXA

Header information removed by default.

You can improve security and save a small amount of bandwidth if you remove the header information from each response sent by your website.

These headers contain a number of infrastructure details about the framework that is used on your website that you do not need to publicize.

Remove the X-Aspnet-Version HTTP header

If you remove the X-Aspnet-Version HTTP header information from each web page, you save a little bandwidth and ensure that you are not publicizing which version of ASP.NET you are using.

To remove the X-Aspnet-Version HTTP header from each response from ASP.NET, add the following code to the web.config file.

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

For more information, see the dotnetperls website.

Remove the X-Powered-By HTTP header

If you remove the X-Powered-By HTTP header, you are not publicizing which version of ASP.NET you are using.

To remove the X-Powered-By HTTP header from each response from ASP.NET, add the following code to the web.config file:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Remove the X-AspNetMvc-Version HTTP header

If you remove the X-AspNetMvc-Version HTTP header, you are not publicizing which version of ASP.NET MVC you are using.

To remove the X-AspNetMvc-Version HTTP header, add the following code to the Application_Start method in the Global.asax.cs file:

protected void Application_Start(object sender, EventArgs e)
{
  MvcHandler.DisableMvcResponseHeader = true;
  // RegisterRoutes etc... and other stuff
}