How to remove unwanted security headers for my angular application hosted in app service

Rampur, Manoj 30 Reputation points
2023-09-26T15:41:16.4066667+00:00

I'm hosting my angular app in the Azure App Service running on the .NET framework with a Windows operating system.

I need to disable specific HTTP response headers that expose unnecessary information. These headers that should be disabled are:

  1. Server header
  2. X-AspNet-Version
  3. X-AspNetMvc-Version
  4. X-Powered-By

Is it possible to accomplish this by making modifications in the web.config file, or are there alternative methods available?

Please provide the steps as well

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,650 questions
{count} votes

Accepted answer
  1. VenkateshDodda-MSFT 19,976 Reputation points Microsoft Employee
    2023-09-27T07:51:59.08+00:00

    @Rampur, Manoj Thanks for reaching out to Microsoft Q&A, apologize for any inconvenience caused on this.

    Based on the shared information, I have understood that you want to remove the below headers from the response of your app service which is running on windows operation system using web.config file.

    1. Server header
    2. X-AspNet-Version
    3. X-AspNetMvc-Version
    4. X-Powered-By

    To reproduce this behavior, I have created a sample Asp.net Framework application in my visual studio code and published the code to one of the app services running on windows app service plan in my subscription.

    I have used the below web.config file to remove the headers (Server, X-AspNet-Version, X-Powered-By):

    <?xml version="1.0" encoding="utf-8"?>
    
    <configuration>
      <system.web>
        <httpRuntime enableVersionHeader="false" />
      </system.web>
      <system.webServer>
           <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
          </customHeaders>
        </httpProtocol>
        <security>
            <requestFiltering removeServerHeader = "true"/>
        </security>
      </system.webServer>
    </configuration>
    

    For disabling the header X-AspNetMvc-Version you need to edit the Global.asax.cs and add the following in the Application_Start event:

    protected void Application_Start()
    {
        MvcHandler.DisableMvcResponseHeader = true;
    }
    

    I have test this in my local and it is working fine. I would suggest you validate if from your end as well.

    Feel free to reach back to me if you have any further questions on this.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.