The following changes allow you to remove these HTTP response headers in Azure without writing a custom HttpModule.
Most of the information on the net is out of date, and involves UrlScan (which has since been integrated into IIS7, but with the RemoveServerHeader=1 option removed). Below is the neatest solution I’ve found (thanks to this blog, this answer, and this blog combined).
To remove Server, go to Global.asax, find/create the Application_PreSendRequestHeaders event and add the following (thanks to BK and this blog this will also not fail on Cassini / local dev):
Edited April 2014: You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.
protected void Application_BeginRequest(object sender, EventArgs e)
{
var application = sender as HttpApplication;
if (application != null && application.Context != null)
{
application.Context.Response.Headers.Remove("Server");
}
}
To remove X-AspNet-Version, in the web.config find/create <system.web> and add:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
To remove X-Powered-By, in the web.config find/create <system.webServer> and add:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...