web config - Remove "Server" header from ASP.NET Core 2.1 application

Question

Is it possible to remove the Server Response header in a ASP.NET Core 2.1 application (running on Server 2016 with IIS 10)?

I tried putting the following in the web.config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="sameorigin" />
            <add name="X-XSS-Protection" value="1; mode=block" />
            <add name="X-Content-Type-Options" value="nosniff" />
            <remove name="X-Powered-By" />
            <remove name="Server" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

The first four alterations to the Response worked fine, but the Server header was not removed. I still see "Kestrel"

Answer 1

This solution works on IIS 10+ version and allows to remove x-powered-by and server headers in server response.

In IIS 10 a new attribute was added: removeServerHeader.

We need to create web.config file in asp.net core application with following content:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Then publish app and restart site on IIS.