Different headers are transmitted by servers and web applications in their HTTP responses. These headers can carry information about the server itself, control directives for caches, and metadata about the web content.
Headers like X-Powered-By and server headers indicating Kestrel are fairly common in the ASP.NET ecosystem. Even though these headers might not seem very important at first, there are a number of strong arguments in favor of hiding or deleting them. We shall explore the reasons behind that in this article.
Protection via Obscurity
By itself, the “security through obscurity” principle is not a strong enough defense. On the other hand, it can work well as a deterrent against possible attackers when paired with additional security measures.
- Information Leakage: Headings such as X-Powered-by openly disclosing that an ASP.NET website is being used. Similarly, the usage of the Kestrel web server is indicated by the Kestrel header. Attackers now have a clear target since they know which platform vulnerabilities to take advantage of thanks to this information.
- Reducing Attack Surface: We are effectively concealing the technology stack from possible attackers by deleting these headers. Because of the increased time and effort required to understand the underlying technologies, opportunistic attacks are less likely.
Professionalism and Branding
- Custom Experience: When it comes to a polished product or service, its underlying tools are hidden until needed. Businesses can project a neater and more polished image to customers and rivals who may be closely examining their web services by removing superfluous headers.
- Branding Control: Companies can make custom headers to match their branding or convey particular messages, making sure they control the story around their technology stack and not the other way around.
Performance
Even though most applications won’t notice much of a performance boost, the following is still important to note:
- Reduced Payload: Even though they are tiny, headers still use bandwidth. We can marginally decrease the response size and accelerate transmissions by eliminating superfluous headers. This is particularly apparent in large-scale applications.
Consistency Across Services
Businesses frequently employ a variety of platforms and technologies for their diverse services. Through header standardization or removal:
- Uniform Appearance: Regardless of the underlying technology, organizations can make sure that responses from all of their services seem consistent.
- Simplified Debugging: Debugging problems can also be facilitated by standardizing responses, since tech-specific noise in the headers won’t impede developers and operations teams.
How to Get Rid of These Headers in ASP.NET Core
In ASP.NET Core, it’s possible to make modications in the Program.cs file to remove headers. On IIS 10 however, it’s possible to just use the web.config. This saves the need to re-compile the application.
Here is an example:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Andriy Kravets is writer and experience .NET developer and like .NET for regular development. He likes to build cross-platform libraries/software with .NET.
