Remove header information from responses sent by your website

Version:

Applies to	All core roles
Sitecore Installation Framework	Header information not removed by default.
Azure Toolkit	Header information removed by default.
SXA	Header information removed by default.

You can improve security and save a small amount of bandwidth if you remove the header information from each response sent by your website.

These headers contain a number of infrastructure details about the framework that is used on your website that you do not need to publicize.

Remove the X-Aspnet-Version HTTP header

If you remove the X-Aspnet-Version HTTP header information from each web page, you save a little bandwidth and ensure that you are not publicizing which version of ASP.NET you are using.

To remove the X-Aspnet-Version HTTP header from each response from ASP.NET, add the following code to the web.config file.

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

For more information, see the dotnetperls website.

Remove the X-Powered-By HTTP header

If you remove the X-Powered-By HTTP header, you are not publicizing which version of ASP.NET you are using.

To remove the X-Powered-By HTTP header from each response from ASP.NET, add the following code to the web.config file:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

If you have suggestions for improving this article, let us know!