Secure Application to Prevent HTTP Header Leaks in

by Virender
December 7, 2015

Security is important factor in an application development. We use different techniques to secure our application like Network Security, Application Security, Database Security etc.

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. They provide different set of instruction to secure a web applications.

OWASP suggested to add and remove some useful HTTP headers for secure your applications.

Today we are removing following HTTP headers from our request. So, User can’t identity our web server and technology which we are using. Its default headers added by .Net framework to Response. With this user can identify our Web Server (IIS) Version, Version, Asp.Net MVC Version


When you will call any API from REST Client. In Response You will see above HTTP Headers added by .Net framework.

You can use any REST Client to test you API. We are using POSTMAN REST Client.

We have two ways to remove HTTP Headers. Use Global.asax or Use Web.Config file.

1. Remove Server, X-AspNet-Version and X-AspNetMvc-Version – Use Global.asax’s Application_PreSendRequestHeaders event to remove Headers from HTTP Response.

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
            HttpApplication app = sender as HttpApplication;
            if (app != null && app.Context != null)

2. Remove X-Powered-By Header and Add some important security headers- Some custom headers are not available into Global.asax file. You need to use Web.Config file to remove and add these headers.

        <remove name=”X-Powered-By” />
        <add name=”X-Frame-Options” value=”DENY”></add>
        <add name=”X-XSS-Protection” value=”1; mode=block”></add>
        <add name=”X-Content-Type-Options” value=”nosniff “></add>

You can learn more about useful HTTP Header here –

After implement you will see that Server,X-AspNet-Version,X-AspNetMvc-Version and X-Powered-By headers removed from Response.

Step By Step Example to remove unwanted headers from response

1. Create MVC + Web API Project

2. Run Project

3. Add API Folder and create TestController

4. Use following code for TestController

5. Call API from REST Client

6. Check Header which showing arrow


7. Use following code into Global.asax to remove Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers

8. Run code and check that Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers remove.

9. Now Use Following customer headers in Web.config to remove X-Powered-By HTTP Headers

10. Check X-Powered-By HTTP Header removed and added some useful other HTTP Headers


HTTP Header Leaks

Secure Application to Prevent HTTP Header Leaks

Remove unwanted Header from Response

Remove HTTP Headers

Secure Application 



Notify of
Inline Feedbacks
View all comments

Related posts