Remove “Server” header from ASP.NET Core 2.1 application

问题

Is it possible to remove the Server Response header in a ASP.NET Core 2.1 application (running on Server 2016 with IIS 10)?

I tried putting the following in the web.config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="sameorigin" />
            <add name="X-XSS-Protection" value="1; mode=block" />
            <add name="X-Content-Type-Options" value="nosniff" />
            <remove name="X-Powered-By" />
            <remove name="Server" />
        </customHeaders>
    </httpProtocol>
</sytem.webServer>

The first four alterations to the Response worked fine, but the Server header was not removed. I still see "Kestrel"

回答1:

The Kestrel Server header gets added too late in the request pipeline. Therefore removing it via the web.config or via middleware is not possible.

You can remove the Server header by setting the AddServerHeader property to false on KestrelServerOptions, this can be done in the Program.cs.

public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
    WebHost.CreateDefaultBuilder(args)
        .UseKestrel(options => options.AddServerHeader = false)
        .UseStartup<Startup>();

回答2:

This solution works on IIS 10+ version and allows to remove x-powered-by and server headers in server response.

In IIS 10 a new attribute was added: removeServerHeader.

We need to create web.config file in asp.net core application with following content:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Then publish app and restart site on IIS.

回答3:

For the ones that are trying to do the same thing (removing the Server response header added by Kestrel web server) but using instead ASP.NET core 2.2, they should use the extension method ConfigureKestrel (https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.hosting.webhostbuilderkestrelextensions.configurekestrel?view=aspnetcore-2.2#Microsoft_AspNetCore_Hosting_WebHostBuilderKestrelExtensions_ConfigureKestrel_Microsoft_AspNetCore_Hosting_IWebHostBuilder_System_Action_Microsoft_AspNetCore_Server_Kestrel_Core_KestrelServerOptions__) instead of the extension method UseKestrel.

来源：https://stackoverflow.com/questions/52452194/remove-server-header-from-asp-net-core-2-1-application