How to delete the IIS ASP.NET response headers for security sake

There are some nice plugins out there like “BuiltWith” and “Web Server Notifier” and many others that allow you to see the platform that websites run on.

These tools will show what server you’re using like Apache, IIS, Nginix etc. and your security people in your company will ask you to turn off the sharing of this information.

Here’s what I do to remove that information and I use IIS so I add this section to my web config.

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
            <remove name="X-AspNet-Version" />
            <remove name="Server" />
        </customHeaders>
    </httpProtocol>
</system.webServer>