Removing Server and X-Powered-By HTTP Headers on Azure Web Site Preview

Question

For security I want to remove any HTTP headers that reveals details about the OS, Web Server or Framework that my application is running. I was able to remove all from displ

Answer 1

Check this thread How to remove ASP.Net MVC Default HTTP Headers? and not only the main response, but also the responses below.

Answer 2

This is now possible. See also Remove Server Response Header IIS7

Answer 3

Windows Azure Websites are shared infrastructure and you do not have access to configure IIS as you do in a Web Role. As you have correctly pointed out you could remove these headers:

• X-AspNet-Version
• X-AspNetMvc-Version

but are left with the following:

• Server: Microsoft-IIS/7.5
• X-Powered-By: ARR/2.5
• X-Powered-By: ASP.NET

Even if you implement all the necessary steps to suppress these headers you will see from my blog post that illegal requests will be handled by HTTP.SYS at the kernel level which will return the Microsoft-HTTPAPI/2.0 header. You need to edit the registry to remove this header.

The conclusion is that if you want ultimate control of IIS and HTTP.SYS you will need to host your website in a non-shared infrastructure. So your option is a Web Role in a Windows Azure Cloud Service.