Securing http headers

Question

I Have website that is in production server and it supposed to be very secure so i want to secure http header so that no unwanted information is leaked.

I have searched on net about securing http headers and so far found that we can remove un anted information like removing

'Server Microsoft-IIS/7.5
X-AspNet-Version 4.0.303319
X-Powered-By ASP.NET -'

I have found solution for X-Aspnet and X powered by : 1. For X-AspNet i have added below code in system.web section

<httpRuntime enableVersionHeader="false"/>

1. For X-Powered i have added below code in system.webserver section

But for Server header removal code is not working :(

Code i am using for is :

1. I have added a class with name CustomHeaderModule and inside that class code is as below

   /// /// Summary description for CustomHeaderModule /// public class CustomHeaderModule : IHttpModule {

   public void Dispose()
   {
       throw new NotImplementedException();
   }
   
   public void Init(HttpApplication context)
   {
       context.PostReleaseRequestState += PostReleaseRequestState;
   }
   
   void PostReleaseRequestState(object sender, EventArgs e)
   {
       //HttpContext.Current.Response.Headers.Remove("Server");
       // Or you can set something funny
       HttpContext.Current.Response.Headers.Set("Server", "CERN httpd");
   }
   

   }

and then registered this in web.config under system.webserver section

<modules runAllManagedModulesForAllRequests="true">
      <add name="CustomHeaderModule" type="CustomHeaderModule" />
    </modules>

Now this code is not working ..i am still seeing server in header in chrome browser..

how can i fix this and apart from these 3 setting is there any other to secure more ?

Answer 1

Considering your problem what I would suggest you is to use ASafaWeb to test your Website!

Second is to read these articles from Troy Hunt and Paul Bouwer:

• Shhh… don’t let your response headers talk too loudly
• Clickjack attack – the hidden threat right in front of you
• ASafaWeb, Excessive Headers and Windows Azure

Following this articles you will finally have a look at NWebSec!

Answer 2

Sorry if this doesn’t answer your question directly but I wouldn’t really bother removing those headers. Someone can easily find out what server are you using by looking at the html code on the browser side.

If I look at source code and I see things like __VIEWSTATE I’ll immediately know this is ASP.NET and if I dig a little deeper I’ll probably be able to figure out the version too.

What I’d suggest is that you focus on standard security and risk procedures such as making sure you are not open to SQL injections, validating everything on the server side, making sure you have all backups in place and ready to be up in several mins, adding additional layer of authentication if needed, making sure you have all security updates on the server and such…