Remove Server from HTTP Response in WCF

Question

I have an internet exposed WCF service running on IIS 7.5 that I need to secure. I would like to remove the \"Server\" header in the HTTP response.

I\'ve implemented

Answer 1

For my self-hosted WCF service the answer from M Afifi does not work. I have to set an empty header:

httpCtx.OutgoingResponse.Headers.Add(HttpResponseHeader.Server.ToString(), string.Empty);

This removes the header from the response:

access-control-allow-headers →Content-Type, Authorization, Accept
access-control-allow-methods →GET, POST
access-control-allow-origin →*
content-type →application/json; charset=utf-8
date →Mon, 03 Jul 2017 07:22:17 GMT
status →200

Answer 2

Have you tried editing your web.config and using the customHeaders tag under system.webServer.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="Server" />
        <remove name="X-Powered-By" />
        <remove name="X-AspNet-Version" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

This results in my C# ASP.NET application only having the following response headers:

HTTP/1.1 200 OK
Cache-Control: max-age=3600, public
Content-Length: 20992
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Last-Modified: Tue, 15 May 2012 18:01:11 GMT
ETag: "HHktEL5IWA6rspl4Bg2ZxNmnV3gTUCLt2cTldSsl05A="
Vary: Accept-Encoding
Date: Tue, 17 Jul 2012 21:38:38 GMT

Although I will admit I have not tried it with the "Server" header, this approach seems to work well. The reason I have not tried it with the "Server" header is that the following code in my IHttpModule works just fine.

    void PreSendRequestHeaders(object sender, EventArgs e)
    {
        HttpApplication application = (HttpApplication)sender;
        if(HttpRuntime.UsingIntegratedPipeline)
        {
            application.Response.Headers.Remove("Server");
            application.Response.Headers.Remove("Expires");
            application.Response.Headers.Remove("Cache-Control");
            application.Response.AddHeader("Cache-Control", "max-age=3600, public");
        }
    }

Answer 3

This works using an IDispatchMessageInspector

public class SecureBehaviour : IDispatchMessageInspector
{
    public object AfterReceiveRequest(ref Message request,
        IClientChannel channel, InstanceContext instanceContext)
    {
        return null;
    }

    public void BeforeSendReply(ref Message reply, object correlationState)
    {

        var httpCtx = HttpContext.Current;
        if (httpCtx != null)
        {
            httpCtx.Response.Headers.Remove(
                HttpResponseHeader.Server.ToString());
        }
    }
}

Answer 4

Work in progress.

This blog entry answers a little more about the different pipelines and why ASP.NET modules aren't quite working.

More to follow.

Answer 5

Do you have access to the registry? If so you could try

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader

Answer 6

Since you are hosting your service in IIS and have an HttpModule already spun up, try setting the ASP.NET Compatibility mode so that you can get to HttpContext.Current. You will need to make the following changes:

Modify your web.config and add the following to System.ServiceModel

<system.serviceModel>
  ...
  <serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
</system.serviceModel>

Decorate your service class with this attribute:

[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]

Give the HttpModule another shot and you should have better luck.