I need to remove excessive headers (primarily to pass penetration testing). I have spent time looking at solutions that involve running UrlScan, but these are cumbersome as UrlScan needs to be installed each time an Azure instance is started.
There must be a good solution for Azure that does not involve deploying installers from startup.cmd.
I understand that the response headers are added in different places:
Is there any way to configure (via web.config etc.?) IIS7 to remove/hide/disable the HTTP response headers to avoid the "Excessive Headers" warning at asafaweb.com, without creating an IIS module or deploying installers which need to be run each time an Azure instance starts?
Open the site which you would like to open and then click on the HTTP Response Headers option. Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response.
In IIS Manager, at the server level, go to the Features view. Click on HTTP Response Headers. You can add/remove headers there. You can also manage the response headers at the site level as well.
In the web site pane, double-click HTTP Response Headers in the IIS section. In the actions pane, select Add. In the Name box, type the custom HTTP header name. In the Value box, type the custom HTTP header value.
The following changes allow you to remove these HTTP response headers in Azure without writing a custom HttpModule.
Most of the information on the net is out of date, and involves UrlScan (which has since been integrated into IIS7, but with the RemoveServerHeader=1
option removed). Below is the neatest solution I've found (thanks to this blog, this answer, and this blog combined).
To remove Server, go to Global.asax, find/create the Application_PreSendRequestHeaders
event and add the following (thanks to BK and this blog this will also not fail on Cassini / local dev):
Edited April 2014: You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.
protected void Application_BeginRequest(object sender, EventArgs e) { var application = sender as HttpApplication; if (application != null && application.Context != null) { application.Context.Response.Headers.Remove("Server"); } }
To remove X-AspNet-Version, in the web.config find/create <system.web>
and add:
<system.web> <httpRuntime enableVersionHeader="false" /> ...
To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start
event and add a line as follows:
protected void Application_Start() { MvcHandler.DisableMvcResponseHeader = true; }
To remove X-Powered-By, in the web.config find/create <system.webServer>
and add:
<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> ...
MSDN published this article on how to hide headers on Azure Websites. You can now hide the server from web.config by adding an entry to system.webServer
<security> <requestFiltering removeServerHeader ="true" /> </security>
VS will frown at the above as invalid though. The above link has code as pics, hard to find. MVC version is still hidden in application start as above, same for x-powered-by and .Net version.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With