Remove Unwanted HTTP headers on an App Gateway with PowerShell

Increase the security of your sites by removing unwanted HTTP response headers on an Application Gateway using Rewrite Rules and Powershell.

Web servers often include headers to describe what version they are running, or what features they offer. You can help the security of your site by not sharing this information with the internet, and if you are using an Azure Application Gateway that can be used to remove these headers.

The following PowerShell will create a Rewrite rule to remove the Server, X-Powered-By, X-AspNet-Version, and X-AspNetMvc-Version HTTP response headers. This Rewrite Ruleset can then be associated with one or more sites on the Azure Application Gateway.

 1#Get the AAG Config
 2$appGW=Get-AzApplicationGateway -Name "my-app-gateway" -ResourceGroupName "my-resource-group"
 3#Add the new Rewrite Rule
 5						[PSCustomObject]@{HeaderName='X-Powered-By'},
 6						[PSCustomObject]@{HeaderName='X-AspNet-Version'},
 7						[PSCustomObject]@{HeaderName='X-AspNetMvc-Version'}
 8						)
 9$action = New-AzApplicationGatewayRewriteRuleActionSet -ResponseHeaderConfiguration $responseHeaderConfigurations
10$rule = New-AzApplicationGatewayRewriteRule -Name "Remove Unwanted Headers" -ActionSet $action -RuleSequence 100 
11$ruleset = Add-AzApplicationGatewayRewriteRuleSet -Name "Remove-Unwanted-Headers" `
12						-RewriteRule $rule `
13						-ApplicationGateway $appGW
14#Commit Changes
15$appGW | Set-AzApplicationGateway

In the Azure Portal the resulting rules would look something like this:

Azure Portal Rewrite Rules