Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan

笑着哭i 提交于 2019-11-26 18:14:39
Nick Evans

The following changes allow you to remove these HTTP response headers in Azure without writing a custom HttpModule.

Most of the information on the net is out of date, and involves UrlScan (which has since been integrated into IIS7, but with the RemoveServerHeader=1 option removed). Below is the neatest solution I've found (thanks to this blog, this answer, and this blog combined).

To remove Server, go to Global.asax, find/create the Application_PreSendRequestHeaders event and add the following (thanks to BK and this blog this will also not fail on Cassini / local dev):

Edited April 2014: You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        var application = sender as HttpApplication;
        if (application != null && application.Context != null)
        {
            application.Context.Response.Headers.Remove("Server");
        }
    }

To remove X-AspNet-Version, in the web.config find/create <system.web> and add:

  <system.web>
    <httpRuntime enableVersionHeader="false" />

    ...

To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:

  protected void Application_Start()
  {
      MvcHandler.DisableMvcResponseHeader = true;
  }

To remove X-Powered-By, in the web.config find/create <system.webServer> and add:

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>

    ...
AKhooli

MSDN published this article on how to hide headers on Azure Websites. You can now hide the server from web.config by adding an entry to system.webServer

<security>
      <requestFiltering removeServerHeader ="true" />
</security>

VS will frown at the above as invalid though. The above link has code as pics, hard to find. MVC version is still hidden in application start as above, same for x-powered-by and .Net version.

There's also a package on NuGet that helps you achieve this through a few lines of config and no changes to code: NWebsec. The docs on removing version headers can be found here: https://github.com/NWebsec/NWebsec/wiki/Suppressing-version-headers

It's demoed here: http://www.nwebsec.com/HttpHeaders/VersionHeaders (in Azure)

Disclaimer: I'm the developer on the project.

Nick Evans' answer is perfect, but...

If you remove these headers for a security purpose, don't forget to change the ASP.NET Session coockie name ! Because it is easier to guess the language used or the server version when you see this :

To change the cookie name: (be creative)

<system.web>
  <sessionState cookieName="PHPSESSID" />
</system.web>

Rolling up the previous answers from @giveme5minutes and @AKhooli as they relate to Azure Websites plus a few other items the scanner wants to see, these are the changes that I made to make ASafaWeb happy with an Azure site.

It still complains about the Azure affinity header cookie not being https only but affinity is the type of cookie you do want replayed anyway, right?

<system.web>
    <compilation debug="false">
    <httpRuntime enableVersionHeader="false" />
    <httpCookies httpOnlyCookies="true" requireSSL="true" />    
    <customErrors mode="RemoteOnly" defaultRedirect="~/Error.aspx" />
</system.web>

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="X-Frame-Options" value="DENY" />
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    <security>
      <!--removes Azure headers-->
      <requestFiltering removeServerHeader="true" />
    </security>
</system.webServer>
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!