I tried to use this middleware:
public class SecurityHeadersMiddleware
{
private readonly RequestDelegate next;
public SecurityHeadersMiddleware(RequestDelegate next)
{
this.next = next;
}
public async Task Invoke(HttpContext context)
{
context.Response.OnStarting(state =>
{
var ctx = (HttpContext)state;
if (!ctx.Response.Headers.ContainsKey("Arr-Disable-Session-Affinity"))
{
ctx.Response.Headers.Add("Arr-Disable-Session-Affinity", "True"); // Disables the Azure ARRAffinity cookie
}
if (ctx.Response.Headers.ContainsKey("Server"))
{
ctx.Response.Headers.Remove("Server"); // For security reasons
}
if (ctx.Response.Headers.ContainsKey("x-powered-by") || ctx.Response.Headers.ContainsKey("X-Powered-By"))
{
ctx.Response.Headers.Remove("x-powered-by");
ctx.Response.Headers.Remove("X-Powered-By");
}
if (!ctx.Response.Headers.ContainsKey("X-Frame-Options"))
{
ctx.Response.Headers.Add("X-Frame-Options", "DENY");
}
return Task.FromResult(0);
}, context);
await next(context);
}
}
x-powered-by is still there in response header which says asp.net
Answer
- In addition to @Brando Zhang answer, To remove “Server:Kestrel” from response header:
-.NET Core 1
var host = new WebHostBuilder()
.UseKestrel(c => c.AddServerHeader = false)
.UseContentRoot(Directory.GetCurrentDirectory())
.UseIISIntegration()
.UseStartup<Startup>()
.Build();
-NET Core 2
WebHost.CreateDefaultBuilder(args)
.UseKestrel(c => c.AddServerHeader = false)
.UseStartup<Startup>()
.Build();