Secure Application to Prevent HTTP Header Leaks in

by Virender
December 7, 2015

Security is important factor in an application development. We use different techniques to secure our application like Network Security, Application Security, Database Security etc.

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. They provide different set of instruction to secure a web applications.

OWASP suggested to add and remove some useful HTTP headers for secure your applications.

Today we are removing following HTTP headers from our request. So, User can’t identity our web server and technology which we are using. Its default headers added by .Net framework to Response. With this user can identify our Web Server (IIS) Version, Version, Asp.Net MVC Version


When you will call any API from REST Client. In Response You will see above HTTP Headers added by .Net framework.

You can use any REST Client to test you API. We are using POSTMAN REST Client.

We have two ways to remove HTTP Headers. Use Global.asax or Use Web.Config file.

1. Remove Server, X-AspNet-Version and X-AspNetMvc-Version – Use Global.asax’s Application_PreSendRequestHeaders event to remove Headers from HTTP Response.

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
            HttpApplication app = sender as HttpApplication;
            if (app != null && app.Context != null)

2. Remove X-Powered-By Header and Add some important security headers- Some custom headers are not available into Global.asax file. You need to use Web.Config file to remove and add these headers.

        <remove name=”X-Powered-By” />
        <add name=”X-Frame-Options” value=”DENY”></add>
        <add name=”X-XSS-Protection” value=”1; mode=block”></add>
        <add name=”X-Content-Type-Options” value=”nosniff “></add>

You can learn more about useful HTTP Header here –

After implement you will see that Server,X-AspNet-Version,X-AspNetMvc-Version and X-Powered-By headers removed from Response.

Step By Step Example to remove unwanted headers from response

1. Create MVC + Web API Project

2. Run Project

3. Add API Folder and create TestController

4. Use following code for TestController

5. Call API from REST Client

6. Check Header which showing arrow


7. Use following code into Global.asax to remove Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers

8. Run code and check that Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers remove.

9. Now Use Following customer headers in Web.config to remove X-Powered-By HTTP Headers

10. Check X-Powered-By HTTP Header removed and added some useful other HTTP Headers


HTTP Header Leaks

Secure Application to Prevent HTTP Header Leaks

Remove unwanted Header from Response

Remove HTTP Headers

Secure Application 



0 0 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
1 year ago

This is why it is better that you should linked review before developing. It is possible to post superior send that way. Website Design

Muhammad Hassan
1 year ago

Wonderful article. Fascinating to read. I love to read such an excellent article. Thanks! It has made my task more and extra easy. Keep rocking. veja como baixar Lulubox para Android

Marie Bowman
1 year ago

Nice post! This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post. hide my wp

1 year ago

This comment has been removed by a blog administrator.

Related posts