Remove server from HTTP response in WCF

Question

Remove server from HTTP response in WCF

I have an Internet-based WCF service running on IIS 7.5 that I need to protect. I would like to remove the “Server” header in the HTTP response.

I implemented IDispatchMessageInspector with code as follows.

public void BeforeSendReply(ref Message reply, object correlationState) { var context = WebOperationContext.Current; if (context != null) { context.OutgoingResponse.Headers.Remove( HttpResponseHeader.Server); } }

However, the server header is still in the response. When debugging, I see that OutgoingResponse.Headers does not include HttpResonseHead.Server , and if I write my own value, it is explicitly redefined by something further down the line in the IIS pipeline.

Change 1

I tried the following: there was nothing good

 public class SecureServerHeaderModule : IHttpModule { #region Implementation of IHttpModule public void Init(HttpApplication context) { context.PreSendRequestHeaders += OnPreSendRequestHeaders; } public void Dispose() { } #endregion private static void OnPreSendRequestHeaders(object sender, EventArgs e) { var context = HttpContext.Current; if (context != null) { context.Response.Headers.Remove("Server"); } } } <system.web> <httpModules> <add "snip" /> </httpModlules> </system.web> <system.webServer> <modules> <add "snip" /> </modlules> </system.webServer>

Edit 2

Also did not work.

 public void BeforeSendReply(ref Message reply, object correlationState) { var context = OperationContext.Current; if (context != null) { context.OutgoingMessageProperties.Remove( HttpResponseHeader.Server.ToString()); context.OutgoingMessageProperties.Add( HttpResponseHeader.CacheControl.ToString(), "no-store"); } }

+4

c # iis-7.5 wcf

M afifi Jul 12 '12 at 15:29

source share

6 answers

Since you host your service in IIS and have already deployed the HttpModule, try setting the ASP.NET compatibility mode so that you can go to HttpContext.Current. You need to make the following changes:

Modify your web.config and add the following to System.ServiceModel

 <system.serviceModel> ... <serviceHostingEnvironment aspNetCompatibilityEnabled="true"/> </system.serviceModel>

Decorate your service class with this attribute:

 [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]

Give HttpModule another shot, and you're better off.

+1

Trey combs Jul 12 '12 at 20:59

source share

You tried to edit your web.config and use the customHeaders tag system.webServer .

 <?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <httpProtocol> <customHeaders> <remove name="Server" /> <remove name="X-Powered-By" /> <remove name="X-AspNet-Version" /> </customHeaders> </httpProtocol> </system.webServer> </configuration>

This causes my C # ASP.NET application to only have the following response headers:

 HTTP/1.1 200 OK Cache-Control: max-age=3600, public Content-Length: 20992 Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Last-Modified: Tue, 15 May 2012 18:01:11 GMT ETag: "HHktEL5IWA6rspl4Bg2ZxNmnV3gTUCLt2cTldSsl05A=" Vary: Accept-Encoding Date: Tue, 17 Jul 2012 21:38:38 GMT

Although I admit that I have not tried it with the heading “Server”, this approach seems to work well. The reason I haven't tried it with the heading “Server” is because the following code in my IHttpModule works fine.

  void PreSendRequestHeaders(object sender, EventArgs e) { HttpApplication application = (HttpApplication)sender; if(HttpRuntime.UsingIntegratedPipeline) { application.Response.Headers.Remove("Server"); application.Response.Headers.Remove("Expires"); application.Response.Headers.Remove("Cache-Control"); application.Response.AddHeader("Cache-Control", "max-age=3600, public"); } }

+1

csharptest.net Jul 17 '12 at 21:40

source share

Work continues.

This post answers a little more about the different pipelines and why ASP.NET modules do not quite work.

More to follow.

0

M afifi Jul 16 '12 at 11:02

source share

For my self-service WCF service, the response from M Afifi does not work. I have to set an empty header:

 httpCtx.OutgoingResponse.Headers.Add(HttpResponseHeader.Server.ToString(), string.Empty);

This removes the header from the response:

 access-control-allow-headers →Content-Type, Authorization, Accept access-control-allow-methods →GET, POST access-control-allow-origin →* content-type →application/json; charset=utf-8 date →Mon, 03 Jul 2017 07:22:17 GMT status →200

0

flayn Jul 03 '17 at 7:24

source share

Do you have access to the registry? If so, you can try

 HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader

-1

Phil Jul 12 '12 at 15:40

source share

M afifi · Accepted Answer · 2012-11-06T14:07:07+0000

This works using IDispatchMessageInspector

 public class SecureBehaviour : IDispatchMessageInspector { public object AfterReceiveRequest(ref Message request, IClientChannel channel, InstanceContext instanceContext) { return null; } public void BeforeSendReply(ref Message reply, object correlationState) { var httpCtx = HttpContext.Current; if (httpCtx != null) { httpCtx.Response.Headers.Remove( HttpResponseHeader.Server.ToString()); } } }

Remove server from HTTP response in WCF

More articles: