Checks to see if your site reveals information in its headers that gives away unnecessary details about the technology used to build and host it.
This health check can be fixed by removing headers before the response is started.
Be aware these headers are often added by the server and not by the application.
Unless you publicly expose the Kestrel server (not recommended by Microsoft), you can't handle this directly in middleware.
For IIS you will need to manipulate web.config
(If you don't have web.config
already in your project you will need to add it at the root). Ensure to remove the custom X-Powered-By
and Server
header as shown in the following example.
The removeServerHeader
attribute is added in IIS 10.0 and does not work in versions of Windows prior to Windows Server version 1709 or Windows 10 version 1709.
By default Kestrel will only expose the Server
header. To disable this, you have to configure Kestrel in Program.cs
. You can use the UseKestrel
extension method on WebApplicationBuilder
like in the following example.