Remove X- Headers From Web Server Response

Problem this snippet solves:

Remove any X- header from web server HTTP responses

Here is a simple iRule which removes any response header from the pool which starts with X-. The goal is to prevent users of the application from learning details of the application architecture from these user-defined comment headers.

Code :

when HTTP_RESPONSE { 
  
   # Remove all instances of the Server header 
   HTTP::header remove Server 
  
   # Remove all headers starting with x- 
   foreach header_name [HTTP::header names] { 
  
      if {[string match -nocase x-* $header_name]}{ 
  
         HTTP::header remove $header_name 
      }
   }
}
Published Mar 18, 2015
Version 1.0
content manipulation
devops
iRules

Was this article helpful?

2 Comments

Sort By
  • saidshow_251381's avatar
    saidshow_251381
    Icon for Cirrostratus rankCirrostratus
    May 25, 2016
    Thank you hoolio. This is great. I have implemented as is for the purpose of testing and confirm that this worked without any changes. I will modify exactly what headers it targets depending on our needs.
  • TomBenda_311829's avatar
    TomBenda_311829
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2017

    Be aware, that remove all x-* headers cant be allright with all cases. With this rule is remove header "X-UA-Compatible" header, which can has some render issue for web apps.