How do I remove eTag headers from IIS7?
Under IIS7 the Etag change number (the part of the Etag following : ) is always set to 0.
Hence the Etag from the server no longer varies from server to server for the same file and therefore the Yahoo best practice no longer really applies.
Since you can't actually suppress the ETag header on IIS7 it would probably be best that you don't fiddle with it at all. I've found by far the most useful configuration rule is "If the default doesn't break something, leave it alone".
You would think doing this in the web.config would work to disable ETags in IIS7. But sniffer trace confirms that ETag is sent down anyway.
<httpProtocol>
<customHeaders>
<remove name="ETag" />
</customHeaders>
</httpProtocol>
Using blank doesn't work, either. ETag is sent down anyway.
<httpProtocol>
<customHeaders>
<add name="ETag" value="" />
</customHeaders>
</httpProtocol>
Setting the ETag to blank quotes as other sites have suggested doesn't work.
<httpProtocol>
<customHeaders>
<add name="ETag" value="""" />
</customHeaders>
</httpProtocol>
Causes even more ETag to be sent down:
ETag: "8ee1ce1acf18ca1:0",""
In conclusion, nothing I can try or think of works to kill ETag on IIS7, at least without writing custom modules, etc.
I wrote a custom http module to handle this. It's really not as bad as it sounds. Here's the code:
using System;
using System.Web;
namespace StrongNamespace.HttpModules
{
public class CustomHeaderModule : IHttpModule
{
public void Init(HttpApplication application)
{
application.PostReleaseRequestState += new EventHandler(application_PostReleaseRequestState);
}
public void Dispose()
{
}
void application_PostReleaseRequestState(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("ETag");
}
}
}
Here's the web.config changes you'll want:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By"/>
</customHeaders>
</httpProtocol>
<modules>
<add name="CustomHeaderModule" type="StrongNamespace.HttpModules.CustomHeaderModule"/>
</modules>
</system.webServer>
</configuration>