Information Security, Web, Networks and Systems

Thursday, April 17, 2014

Configuring Secure IIS Response Headers in ASP.NET MVC

In a previous post I talked about how to configure a secure response in Apache by adding secure response headers (such as X-Frame-Options, X-XSS-Protection etc) and omitting headers that disclose internal implementation and technical details of the apache web server (such as X-Powered-By). In this post, I will talk about how to do this in an ASP.NET MVC web application. Instead of configuring these settings in the IIS server, this time I'm going to do this in the ASP.NET code itself since it gives more flexibility and does not affect other applications hosted on the same IIS server.

Following is the defaullt IIS response, which includes detailed technical information on the server, and the version and MVC version.

We need to hide the following headers. 

Removing Server Header
Open the Global.asax.cs file. Use Application_BeginRequest event to hide the server header. Add the following event to the file, if that method already exists, add the content of following method into the existing event method.

protected void Application_BeginRequest(object sender, EventArgs e) {
 var app = sender as HttpApplication; 
 if (app != null && app.Context != null) {

Removing X-AspNet-Version Header

Open the Web.Config file, find the node <httpRuntime> under <system.web> add the enableVersionHeader attribute to httpRuntime node and set it to false.

<httpRuntime maxRequestLength="4096" targetFramework="4.5" enableVersionHeader="false"/>

Removing X-AspNetMvc-Version Header

Open the Global.asax.cs file, find the event Application_Start event and add the following line at the end of the code.

protected void Application_Start()
    //some code
    MvcHandler.DisableMvcResponseHeader = true; //this line is to hide mvc header

Removing X-Powered-By Header

Open the Web.Config file, find the <httpProtocol> node under the <system.webServer> node. Check whether these is a child node under <httpProtocol> called <customHeaders>. By default in MVC, you will not see this customHeaders child node. If it does not exist, create a <cusstomHeaders> node and add following include following to remove X-Powered-By header.

  <remove name="X-Powered-By"/>

After removing above headers, the IIS response will look like this.

X-SourceFiles Header included the base64 encoded physical path of the source files in your hard disk. This header is only sent for the request from localhost. So, there's no need to worry about removing this.

Add Secure Response Headers

Now we have removed the headers that disclose internal technical details of the web server. We can now add additional security headers that harden the security of the application. Those additional security headers are as follows. You can learn more about what those headers do, here.


There are few ways to configure secure response headers in an application. One is to add a <customHeaders> node inside <httpProtocol> in Web.Config. The other way is to use NWebsec package which can be used to configure secure response headers.

Using <customHeaders> in Web.Config

To add these headers, go to the <customHeaders> node previously added and add those headers inside the <customHeaders> node.

  <remove name="X-Powered-By"> 
  <add name="X-Frame-Options" value="DENY"> 
  <add name="X-XSS-Protection" value="1; mode=block"> 
  <add name="X-Content-Type-Options" value="nosniff "> 

Using NWebsec

For this, you need to install NWebsec package in Visual Studio using Package Manager Console.

Go to Tools -> Library Package Manager -> Package Manager Console

Install NWebSec Package using Package Manager Console.

PM > Install-Package NWebsec

After installation, find the node <nwebsec> inside Web.Config. Insert following entries inside its child node <httpHeaderSecurityModule>.

 <x-Xss-Protection blockmode="true" policy="FilterEnabled"></x-Xss-Protection>   <x-Content-Type-Options enabled="true"></x-Content-Type-Options> 
 <x-Frame-Options policy="Deny"> </x-Frame-Options>

After all, the secure response will look like this.


  1. The NWebsec securityHttpHeaders appear to be case sensitive:
    <x-XSS-Protection blockMode="true" policy="FilterEnabled"/>
    <x-Content-Type-Options enabled="true"/>
    <x-Frame-Options policy="Deny"/>


  2. hi! that's great, but it don't hide header files ex: ~/scripts/jquery.js, how to hide header of files link direct without control by MVC ?

    1. Assuming I understood your question correctly, headers are always sent from the server itself. You can't hide headers for static content(such as js/css/images) without configuring it in the server itself.

  3. Thank you very much for sharing security roundup that will make me able to get best knowledge about the things that I did not know before.


Note: Only a member of this blog may post a comment.