• <1 minute

Removing standard server headers on Windows Azure Web Sites

Part of the HTTP communication process that occurs between web servers and browsers are the HTTP headers that are included in the request and response. For example, the following are the headers…

Part of the HTTP communication process that occurs between web servers and browsers are the HTTP headers that are included in the request and response. For example, the following are the headers recorded from a typical response to a web request on a typical site:

2727.1.JPG-350x0

HTTP Headers are a critical part of the communication process between clients and servers. They allow the server to send information that is related to the request, but not part of the content itself. For example, the Content-Length header tells the browser how long the content that it’s about to receive is, and Cache-Control header tells the browser whether it can cache the response or not.

There are two specific headers of particular interest, because they inform the client about the type of Web server that is servicing the request and its properties. While all Web Servers emit headers of this type, many people prefer that this information is not sent out by the servers, because they prefer to maintain a certain anonymity. Our customers asked us to allow these headers to be disabled on Azure Web Sites, and so with the recent release of Windows Azure Web Sites, we have enabled this to be done.

How do I get rid of them?

The removal of these headers is facilitated with the Request Filtering module, which is part of IIS. To remove a header, you need to have a web.config file stored on your site, with the following content:

1452.2.JPG-350x0

The above would remove the Server header. Other headers that many want to eliminate are the X-Powered-By and X-AspNet-Version headers. To remove these two, your web.config needs to contain the following segments. For X-Powered-By, the following would fall within the set:

5277.3.JPG-550x0

And for X-AspNet-Version, the following should be within :

0576.4.JPG-550x0

So, if you were to want to have them all removed, your Web.config will look like this:

3808.5.JPG-450x0

Naturally, if your site already had an existing web.config file, you would need to adjust it to contain either or both of the elements described above.