Remove unwanted HTTP/IIS headers using custom module for .NET Framework

[meenakshiBalekar]

Table of Contents​

• Introduction
• Why Use Custom Modules in IIS?
• Which Versions of IIS Support Custom Modules?
• Advantages of Using Custom Modules
• How to Use Custom Modules to Remove Unwanted HTTP Headers from IIS
• Conclusion

Introduction​

Internet Information Services (IIS) is a flexible, secure, and manageable web server for hosting anything on the web. This includes websites, services, and applications. One of the lesser-known but powerful features of IIS is the ability to create custom modules using the .NET Framework. Custom modules allow developers to extend the functionality of the IIS pipeline by intercepting HTTP requests and responses.

Why Use Custom Modules in IIS?​

Custom modules in IIS are used for several reasons:

• Security: Enhance security by inspecting incoming requests and outgoing responses for malicious content.
• Logging: Implement custom logging mechanisms tailored to specific business requirements.
• Performance: Optimize performance by caching responses or terminating requests early under certain conditions.
• Customization: Customize the behavior of IIS to suit unique application needs beyond the capabilities of built-in modules.

To learn more about custom modules you can refer to :
Manged Modules and Custom Modules in IIS

Which Versions of IIS Support Custom Modules?​

Custom modules are supported in IIS 7.0 and later versions. This includes:

• IIS 7.0 (Windows Server 2008)
• IIS 7.5 (Windows Server 2008 R2)
• IIS 8.0 (Windows Server 2012)
• IIS 8.5 (Windows Server 2012 R2)
• IIS 10.0 (Windows Server 2016 and later)

These versions of IIS support integrated and classic pipeline modes, allowing for greater flexibility in creating and deploying custom modules.

​

Advantages of Using Custom Modules​

Custom modules offer several benefits:

• Extensibility: Extend IIS functionality to perform tasks not supported by default modules.
• Flexibility: Tailor the web server to handle specific scenarios, making the web application more robust and secure.
• Centralized Management: Manage and enforce rules and behaviors at the server level, providing a consistent approach across multiple applications.
• Scalability: Improve scalability by handling repeated tasks more efficiently at the server level.

​

How to Use Custom Modules to Remove Unwanted HTTP Headers from IIS​

Removing unwanted HTTP headers can be essential for security and privacy reasons. Here’s how you can create a custom module to achieve this:

I am making use of .NET framework version 4.8.1 for creating this class library on Visual studio 2022

​

Step 1: Create a New Class Library Project​

• Open Visual Studio and create a new Class Library project.
  
  
  
  
• Name it appropriately, e.g., "RemoveHeadersModule ".
  
  
  

​

Step 2: Implement the IHttpModule Interface​

• Add a new class and implement the IHttpModule interface.
• Override the Init and Dispose methods.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace RemoveHeadersModule
{
    public class RemoveHeadersModule : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += new EventHandler(OnPreSendRequestHeaders);
        }
        private void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
            HttpContext.Current.Response.Headers.Remove("Server");
            HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
            HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
            HttpContext.Current.Response.Headers.Remove("Content-Type");
            HttpContext.Current.Response.Headers.Remove("Content-Lenght");
            HttpContext.Current.Response.Headers["X-Frame-Options"] = "SAMEORIGIN";
            HttpContext.Current.Response.Headers["X-Powered-By"] = "Test";
            HttpContext.Current.Response.Headers["X-Content-Type"] = "nosniff";
        }

        public void Dispose()
        {
            // Clean-up code here if needed.
        }
    }

}

Example of What can be removed :

• Server
• X-AspNet-Version
• X-AspNetMvc-Version
• Content-Type
• Content-Length

Example of What can be added with custom value:

• "X-Frame-Options" = "SAMEORIGIN";
• "X-Powered-By" = "Test";
• "X-Content-Type" = "nosniff";

Step 3: A Register the Module in Web.config​

• Open the Web.config file of your IIS application.
• Add the module under the system.webServer section.

<modules>
	  <add name="RemoveHeadersModule" type="RemoveHeadersModule.RemoveHeadersModule, RemoveHeadersModule" />
    </modules>

Step 3: B Register the Module via IIS UI​

• Open IIS console
• Select the application for which you need to add the module
• Go to modules section

• Click on add new Managed module :
  
  
  
  
• Enter the details and click on ok
  

Step 4: Build and Deploy​

• Identify the application for which you want to get rid of the headers hosted on IIS
• Check the headers being displayed from Fiddler or Postman or Developer Tools
  
  
  
  
  
• Build the project and copy the DLL to the bin directory of your IIS application.
• Ensure the module is active by testing your application with tools like Fiddler or Postman or Developer Tools to confirm the headers are removed/added as per need
  
  
  

Conclusion​

Creating custom modules in IIS using the .NET Framework provides a powerful way to extend the functionality of your web server. Whether it's for security, logging, or performance optimization, custom modules allow for a high degree of customization and control.



By following the steps outlined above, you can effectively implement a custom module to remove unwanted HTTP headers, enhancing the security and privacy of your web applications.

Continue reading...