Remove X-AspNet-Version and X-Powered-By HTTP Header using IIS

When an HTTP request is made to a web server (like IIS), HTTP headers are transferred from the Browser to the webserver and vice-versa. The HTTP Headers sent by IIS to the browser gives information like how to render the content or gives information about the web server software, version etc.

One such HTTP Headers is the X-Powered-By and X-AspNet-Version which tells the browser that the site is powered by ASP.NET and the ASP.NET version that is used by the web server. Here’s a screenshot that shows the Response Headers using FireBug. You can clearly see both the headers, which shows that my IIS is powered by ASP.NET and its version is 4.0.30319

HTTPHeadersFireBug

Remove X-AspNet-Version HTTP Header

If for some reason (like saving bytes in high traffic sites), you want to prevent this Header from being sent to the browser, use the following configuration in your web.config file

enableVersionHeader

Here we are setting the enableVersionHeader property to false in the <httpRuntime> tag

Remove X-Powered-By HTTP Header

In order to remove the X-Powered-By HTTP Header, browse to the site in IIS 7 Manager and locate ‘HTTP Response Headers’

IIS Http Response Header

Double click ‘HTTP Response Headers’ and click on Remove.

IIS Http Response Header

Now when you request the same site again, you will find that both the HTTP Headers X-Powered-By and X-AspNet-Version are no more sent by IIS to the browser

HTTP Header Removed

2 comments:

  1. Super cool IIS tip! I will add this one to my performance checklist.

    Save every byte!

    ReplyDelete
  2. You can also remove Server and X-AspNetMvc-Version if you use ASP.NET MVC

    http://arturito.net/2011/10/21/how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7/

    ReplyDelete