How to Remove the Server Header from WebListener


Sometimes enterprises or those hosting web sites wish to remove the Server HTTP response header so they can make it more difficult for an attacker to determine what type of web server they are using (IIS, Apache, etc). Though it is doubtful as to how much protection this actually provides, it is still a common practice.

ASP.Net Core includes a new web server called WebListener to offer you a light weight alternative to IIS.

I was asked how to remove the Server header from WebListener by a customer. After some asking around and experimenting, the following solution turned out to be the best one at present:

public void Configure(IApplicationBuilder app)
{
    // Add code to the beginning of Configure to blank out
    // the header, which removes it
    app.Use((context, next) =>
    {
        context.Response.Headers.Add("Server", string.Empty);
        return next();
    });

    // continue with other pipeline configuration code...
}

Here is the response from a WebListener server before the above addition:
Before

Here is the response after the code was added:
After

In the latter figure, you can see that the server responded without the Server header in the HTTP response.

Comments (0)

Skip to main content