X-Powered-By and other X- HTTP Headers

Recently I was involved in on-boarding a new BizTalk EDI trading partner who wants to use AS2. We chose to setup a synchronous communication using a static Request-Response receive port. Trading partner is expecting an MDN from us. Pretty much default settings for operations like setting up the party, installing the certificate and opening up the ports on both ends was also performed. When our trading partner attempts to send us an EDI message, we can receive the message and also return the MDN. Things seem to work just fine. Interestingly, trading partner is complaining about the HTTP response headers they are receiving in addition of the MDN.

In trading partner’s words, first they receive this:

Content-Length: 0
Content-Type: text/xml; charset=UTF-8
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 05 Sep 2014 17:23:56 GMT

Then, they receive the expected MDN:

Content-Type: multipart/report; report-type=disposition-notification;boundary=”_DB8F56B0-19FA-4309-BD8F-1EA62A2E4773_”
AS2-Version: 1.2
Message-ID: <SERVERNAME_36196DFF-C395-4A66-AAF1-FB2CDEE26382>
Mime-Version: 1.0
EDIINT-Features: multiple-attachments
AS2-To: AS2ToParty
AS2-From: AS2FromParty
Content-Length: 681

–_DB8F56B0-19FA-4309-BD8F-1EA62A2E4773_
Content-Type: text/plain
Content-Transfer-Encoding: binary
Content-ID: {90EB6594-7089-4731-B478-99ABB0A871A3}
Content-Description: plain
–_DB8F56B0-19FA-4309-BD8F-1EA62A2E4773_
Content-Type: message/disposition-notification
Content-Transfer-Encoding: 7bit
Content-ID: {46DC36CE-44A2-40A3-BD45-6B54ABC4FDCC}
Content-Description: body

Final-Recipient: rfc822; AS2FromParty
Original-Message-ID: < 1233578787.241409937848336.JavaMail.SYSTEM@SERVERNAME>
Disposition: automatic-action/MDN-sent-automatically; processed
Received-Content-MIC: ZxBD4rY+d/S/Ms9AxnVSrfBaPac=, sha1

–_DB8F56B0-19FA-4309-BD8F-1EA62A2E4773_–

To the best of my knowledge, my guess is that trading partner’s EDI platform is does not like the “extra” information which is being relayed by our IIS in the form of HTTP Response Headers. Little bit of help from google came up with the information that one of the http header (X-Powered-By) is optional and can be easily removed in IIS configuration. If you see “X-Powered-By” header and you do not want it, you can delete it from “HTTP Response Headers” under IIS settings. Removing this header did not resulted in any error for us. NOTE: this will be an IIS wide change.

IISHttpResp

 

ASPHeader

 

There is no straight forward way to remove the other http headers. There is a nice step by step approach presented by Varun Mathu. Another alternate approach is suggested by folks at Dionach. Both of these approaches have one alternate consequence. These changes will be across the board and all services exposed via IIS will see the http headers removed. Our IT admin team did not liked that. Moreover, the removal of “Content-Length” and “Date” is not possible (what I have been told so far). In our case we were able to convince our partner to ignore the headers.

Comments are closed