This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice This article is not considered official documentation for K2 software and is provided “as is” with no warranties.


If you are performing penetration test on your SmartForms, you may encounter a warning about how the HTTP response headers returned contains information about the web server which could be useful to attackers.


Penetration test report highlights the following HTTP headers that pose security issues:

  • X-AspNet-Version
  • X-AspNetMvc-Version 
  • X-Powered-By 
  • Server



Please note that these headers are not added by K2, but inserted automatically by IIS and .NET Framework.

To remove the X-AspNet-Version, X-AspNetMvc-Version, and Server headers:

  1. If you are using Forms STS for authentication, go to [Program Files]\K2 blackpearl\WebServices\Identity\Sts\Forms.
  2. Alternatively, if you are using Windows STS, go to [Program Files]\K2 blackpearl\WebServices\Identity\Sts\Windows.
  3. Open Global.asax with a text editor
  4. Append the following line and save:

    <script runat="server">
     protected void Application_PreSendRequestHeaders(object sender, EventArgs e)

To remove the X-Powered-By header:

  1. Open IIS Manager
  2. Expand Sites > [Your K2 Site] > Identity > Sts
  3. Select Forms if you are using Forms STS for authentication. Otherwise, select Windows if you are using Windows STS.
  4. Select HTTP Response Headers


  5. Remove X-Powered-By:


Once you are done, perform a IISRESET, clear browser cache, and check again if the headers appear.