How to Hide 'Server' and 'X-Powered-By' response header tags

Question

Hi,

We have a communication site published on SharePoint 2019 Farm environment, primary used as an intranet portal. During the recent penetration testing, our security team recommended to hide the HTTP response headers 'Server' and 'x-powered-by'. Can we have information on how to achieve it safely, and whether it can impact any website functionalities?

We can remove the 'x-powered-by' response header from IIS, but is it safe to do so?

 

Regards

Answer 1

Hi @Noorul Ahmed ,

Welcome to Q&A forum! We are glad to assist.

X-Powered-By:

This header is inserted by ASP.NET/IIS purely as an informational tag. Removing this header has no effect on the runtime behavior of your ASP.NET/SharePoint applications. It is strictly informational, so its removal does not break functionality. In production environments it’s common practice (and recommended by many security guidelines) to remove it so that attackers cannot easily determine that your site is running ASP.NET. There are two common approaches:

1. Via IIS Manager Open IIS Manager, select your web application (or Default Web Site), open HTTP Response Headers, and remove the X-Powered-By header.
2. Via web.config Add (or update) the following section in your web.config file:

      <system.webServer>
        <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
          </customHeaders>
        </httpProtocol>
      </system.webServer>
      
   

   This method is widely used and is considered safe because the header is used only for informational purposes.

Server:

The header is injected at a very low level in IIS’s pipeline, and removing it merely prevents that informational string from being sent. The “Server” header discloses the underlying web server (e.g. "Microsoft-IIS/10.0"). In IIS 10 (available on Windows Server 2016/2019), you can remove it by leveraging a built-in request filtering option. And this does not interfere with SharePoint functionality. Add the following snippet to your web.config:

<system.webServer>
  <security>
    <requestFiltering removeServerHeader="true" />
  </security>
</system.webServer>

That said, a couple of points of caution:

• Monitoring and Diagnostics: Some third-party monitoring tools or internal diagnostic scripts might expect to see these headers. If you use such tools, you should verify that they continue to work as expected after making these changes.
• Support Considerations: Custom modifications to web.config or IIS settings in a SharePoint farm should always be tested in a staging environment first because future SharePoint updates may overwrite or conflict with custom configuration changes.
• Security by Obscurity: While removing these headers does reduce the amount of information available to an attacker, it is only one part of a broader security strategy. Do not rely solely on header removal for protection.

Just be sure to test these changes thoroughly in your environment to ensure that no monitoring or support tools are adversely affected.

References:

https://support.waters.com/KB_Inf/Other/WKB202337_How_to_disable_the_X-Powered-By_HTTP_header_in_Microsoft_IIS

https://weblog.west-wind.com/posts/2023/May/08/Removing-the-IIS-Server-Request-Header-from-ASPNET-Core-Apps-any-version

non-official, just for reference.

Hope this information helps.

Please do let us know if you have any further queries.

Kindly consider accepting the answer if the information provided is helpful. This can assist other community members in resolving similar issues.