Remove header information from responses sent by your website

Current version: 10.2

Applies to

All core roles

Sitecore Installation Framework

Header information not removed by default.

Azure Toolkit

Header information removed by default.

SXA

Header information removed by default.

You can improve security and save a small amount of bandwidth if you remove the header information from each response sent by your website.

These headers contain a number of infrastructure details about the framework that is used on your website that you do not need to publicize.

Remove the X-Aspnet-Version HTTP header

If you remove the X-Aspnet-Version HTTP header information from each web page, you save a little bandwidth and ensure that you are not publicizing which version of ASP.NET you are using.

To remove the X-Aspnet-Version HTTP header from each response from ASP.NET, add the following code to the web.config file.

RequestResponse
<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

For more information, see the dotnetperls website.

Remove the X-Powered-By HTTP header

If you remove the X-Powered-By HTTP header, you are not publicizing which version of ASP.NET you are using.

To remove the X-Powered-By HTTP header from each response from ASP.NET, add the following code to the web.config file:

RequestResponse
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Do you have some feedback for us?

If you have suggestions for improving this article,