How To Disable Headers Excessive Information


Response headers are added in different places:

  • Server: added by IIS.
  • X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
  • X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll.
  • X-Powered-By: added by IIS

A. To remove the Server header we add the following method and code to the Global.asax.cs file in the WebAPI project: protected void Application_PreSendRequestHeaders(object sender, EventArgs e)

B. To remove the X-AspNet-Version header ensure that the Web.config has the following xml: <configuration>
      <httpRuntime enableVersionHeader="false" />

C. To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows: protected void Application_Start()
      MvcHandler.DisableMvcResponseHeader = true;

D. To remove the X-Powered-By header ensure that the Web.config has the following xml: <configuration>
            <remove name="X-Powered-By" />

E. To suppress all the other headers ensure that the Web.config contains the following xml: <configuration>
          <suppressVersionHttpHeaders enabled="true" />

F. If the header value shows Microsoft-HTTPAPI/2.0 then add a DisbableServerHeader REG_DWORD with a value of 1 to the following:
Network Security : Fixing Excessive Information Headers, How To Disable Headers Excessive Information
This requires the HTTP.SYS service to be restarted


In default Apache configuration, the server sends HTTP Header with the information of Apache version, modules, Operating System, etc of the Server. The HTTP response header "Server" displays all these details of the server. This information can be used by hackers to try to exploit any vulnerabilities in the Apache, OS or other modules you are running, especially if you are running an older version with known vulnerabilities.

Solution is to hide this kind of information.

To do that you have to use the Apache Header Directive. Basically this Header Directive is processed just before the response is sent back to the network, so it allows you to overwrite/modify the response header set by your application.

  1. To remove Server header
    1. For Apache httpd.conf location is /usr/local/httpd/conf/httpd.conf. Edit this file and add the following line to load the header module
      LoadModule headers_module modules/
    2. Make sure above module is loaded.
    3. After headers_module is loaded, include the following lines of config in the httpd.conf, if the settings are there, make sure it is the correct value.
      ServerTokens Prod
      ServerSignature Off
    4. After making changes restart apache service. ServerSignature will remove the version information from the page generated like 403, 404, 502, etc. by apache web server. ServerTokens will change Header to production only, i.e. Apache
  2. To remove X-Powered-By header, include following lines in the httpd.conf.
  3. # If mod_headers module is included, we will disable the Server response header totally
    <IfModule mod_headers.c>
    Header unset X-Powered-By

For Apache Coyote

As per good security practice, the banner should be removed or modified, so that it no longer reveals the version number. This can be achieved by editing your server.xml configuration file found at the below location:

change value to the server paramer in the config file

FOR Servlet 2.5; JBoss5.0/JBossWeb2.1

To suppress the X-Powered-By header under JBoss 5.0, comment out the init-param, param-name, and param-value line entries from the web.xml located in ${jboss.home}server/${}/deployers/jbossweb.deployer/.

For PHP Version

To Hide the PHP version from remote HTTP requests, edit your php.ini file (often found in /etc/php.ini), and change the line that reads expose_php On to Off:

expose_php = Off -