Menu
I have an MVC project that I deploy on Azure Web-Apps. I'm trying to remove the excessive header information. The reason I'm trying to remove this information is because it's a standard security practice. (Reference)
I'm trying to remove the below information from response headers:
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-POWERED-BY: PHP/5.4.38
X-POWERED-BY: ASP.NET
I have the following code in my Global.asax.cs file:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
But it's not effecting the result.
436
Open the site which you would like to open and then click on the HTTP Response Headers option. Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response.
Select the web site where you want to add the custom HTTP response header. In the web site pane, double-click HTTP Response Headers in the IIS section. In the actions pane, select Add. In the Name box, type the custom HTTP header name.
Response headers hold additional information about the response, like its location or about the server providing it. Representation headers contain information about the body of the resource, like its MIME type, or encoding/compression applied.
Try this instead:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}
Additionally, in the Application_Start call it with the following instruction
PreSendRequestHeaders += Application_PreSendRequestHeaders;
To remove X-AspNet-Version, in the web.config find/create and add:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
</system.web>
To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:
protected void Application_Start() {
MvcHandler.DisableMvcResponseHeader = true;
}
To remove X-Powered-By, in the web.config find/create and add:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
You should be able to force all requests to go through your managed code by adding this to your webconfig:
<modules runAllManagedModulesForAllRequests="true">
Even static files and not-found resources should obey your header rules.
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
http://consultingblogs.emc.com/howardvanrooijen/archive/2009/08/25/cloaking-your-asp-net-mvc-web-application-on-iis-7.aspx
162
Don't use code to remove response headers. It is unstable according Microsoft
Use the Web.config custom Headers section instead as defined here:
<system.webServer>
<httpProtocol>
<!-- Security Hardening of HTTP response headers -->
<customHeaders>
<!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent
Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
By preventing a browser from framing your site you can defend against attacks like clickjacking.
Recommended value "x-frame-options: SAMEORIGIN" -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that
they should only read the master crossdomain.xml file from the root of the website.
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
Recommended value "X-XSS-Protection: 1; mode=block". -->
<add name="X-Xss-Protection" value="1; mode=block" />
<!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
If you have sensitive information in your URLs, you don't want to forward to other domains
https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
<add name="Referrer-Policy" value="no-referrer-when-downgrade" />
<!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
<remove name="X-Powered-By" />
<!-- Set the cache-control per your Security settings (will affect performance) -->
<add name="Cache-Control" value="No-cache" />
</customHeaders>
</httpProtocol>
<!-- Prerequisite for the <rewrite> section
Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
<!-- Remove Server response headers (OWASP Security Measure) -->
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<!-- Use custom value for the Server info -->
<action type="Rewrite" value="Your Custom Value Here." />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
