How to Remove Sensitive Response Headers in IIS to Harden Web Security

In the Kali Linux series, banner grabbing through the HTTP response header is highlighted as a basic technique for collecting information about a web server, its application framework, and programming language.

The article shows an example of a response header image.

1.1 Sensitive headers

The following headers often reveal valuable details, especially for ASP.NET applications:

Server : reveals the web server and version (e.g., "Microsoft-IIS/7.5", "nginx/1.0.11", "Apache").

X-Powered-By : reveals the application framework (e.g., "ASP.NET", "PHP/5.2.17", "UrlRewriter.NET 2.0.0").

X-AspNet-Version : shows the ASP.NET version, present only when the site runs ASP.NET.

X-AspNetMvc-Version : indicates the ASP.NET MVC version.

While these fields are not directly dangerous, they can accelerate attacks if a known vulnerability (e.g., a 0‑day in a specific IIS version) is discovered.

1.2 Removing sensitive headers

1.2.1 Delete the Server header

Use the IIS extension UrlScan . Edit C:\Windows\System32\inetsrv\urlscan\UrlScan.ini, locate RemoveServerHeader and set its value to 1. The article includes before‑and‑after screenshots.

1.2.2 Delete the X-Powered-By header

Open IIS Manager, switch to the site view, and open “HTTP Response Headers”. Delete the X-Powered-By entry. Screenshots illustrate the process.

1.2.3 Delete the X-AspNet-Version header

Edit the site’s web.config and add the following configuration:

<system.web>
    <httpRuntime enableVersionHeader="false" />
</system.web>

1.2.4 Delete the X-AspNetMvc-Version header

Open Global.asax and add the following line inside the Application_Start method: MvcHandler.DisableMvcResponseHeader = true; The final result is shown in a screenshot.