Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why does removeServerHeader work in an Azure Web App?

Tags:

asp.net

iis

web-config

azure

As mentioned in other SO questions Windows Azure Web Apps are running on IIS/8.0, but I have some doubt if that is actually true.

First of all, when I check the HTTP response from a web app running on the Azure Web Apps free tier I can see the following HTTP header:

Server:Microsoft-IIS/8.0

However, according to this documentation and to some local testing on my machine I know that requestFiltering removeServerHeader is not supported in IIS 8.0.

e.g.:

<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

It is a feature which has been added with IIS 10.0 and I can confirm this by running some more tests on a Windows 10 VM with IIS 10.0.

Interestingly this setting also works on my Azure Web App, which supposedly runs on IIS 8.0, so my question is what version of IIS is Azure Web Apps actually running on?

EDIT: From all the comments below it seems that Azure Web Apps run on IIS 8.0, so I re-phrase my question to: How come the removeServerHeader works in an Azure Web App when they run on IIS 8.0?

like image 822
dustinmoris Avatar asked Oct 09 '15 14:10

dustinmoris

People also ask

What webServer does Azure App Service use?

Azure App Service for Windows runs on IIS with the use of modules. Node. js apps in App Service on Windows are hosted with IISNode.

How do I get rid of Microsoft IIS 8.5 from response header?

Unfortunately you cannot really remove the Server header. But you can rewrite its content and empty it. On IIS 7+ (IIS 7, 8.5, 8.0, 8.5, IIS 10.0), use an rewrite outboundRule to remove the web server version information from the Server: header response.

1 Answers

A blog post from Microsoft in 2013 states:

Our customers asked us to allow these headers to be disabled on Azure Web Sites, and so with the recent release of Windows Azure Web Sites, we have enabled this to be done.

It then goes on to give an example of using removeServerHeader and says it's part of the Request Filtering module:

The removal of these headers is facilitated with the Request Filtering module...

Interestingly their documentation for IIS 10 Request Filtering confirms that the removeServerHeader attribute was added to IIS 10 as you have found out.

New in IIS 10.0

IIS 10.0 added the removeServerHeader attribute to suppress sending the HTTP server header to remote clients.

So I would say that the reason it works on Azure Web Sites is because Microsoft pushed this feature out to Azure Web Sites at the request of customers in 2013 - presumably as part of an Azure-specific version of the Request Filtering module. They have since integrated it as standard into the IIS 10 Request Filtering module.

like image 167
tristankoffee Avatar answered Nov 08 '22 23:11

tristankoffee
Sign in to Comment

Related questions

ASP.NET Repeater ItemDataBound happening AFTER PreRender event?
Single ASP.net site with Multiple Instances & web.configs
Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008
What's the best method for forcing cache expiration in ASP.NET?
ASP.NET Error Handling
What to return from the DAL to BLL
ActiveDirectoryMembershipProvider "The specified domain or server could not be contacted."
How to correctly uppercase Greek words in .NET?
Why are my forms authentication tickets expiring so fast?
How is ASP.NET MVC wired into ASP.NET?
How can I implement permission-based authorization in ASP.NET?
On-Session-expire-event?
IIS App Pools & Static Classes
How to get web.config appSettings as ConfigurationSection not NameValueCollection
Sharing SQL Server Session State across Web Applications
Encountering error 'The Provider encountered an unknown error' while trying WebSecurity.CreateAccount in asp.net webpage
Deleting File which is displayed in picturebox
Unique session in multiple browser tabs in ASP.NET MVC
Page Load alternative in a Pure HTML AJAX Website
Displaying a Float to a Textbox type "number"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!