88

I need to remove excessive headers (primarily to pass penetration testing). I have spent time looking at solutions that involve running UrlScan, but these are cumbersome as UrlScan needs to be installed each time an Azure instance is started.

There must be a good solution for Azure that does not involve deploying installers from startup.cmd.

I understand that the response headers are added in different places:

  • Server: added by IIS.
  • X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
  • X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll.
  • X-Powered-By: added by IIS

Is there any way to configure (via web.config etc.?) IIS7 to remove/hide/disable the HTTP response headers to avoid the "Excessive Headers" warning at asafaweb.com, without creating an IIS module or deploying installers which need to be run each time an Azure instance starts?

Community
  • 1
  • 1
Nick Evans
  • 3,279
  • 2
  • 25
  • 21

5 Answers5

141

The following changes allow you to remove these HTTP response headers in Azure without writing a custom HttpModule.

Most of the information on the net is out of date, and involves UrlScan (which has since been integrated into IIS7, but with the RemoveServerHeader=1 option removed). Below is the neatest solution I've found (thanks to this blog, this answer, and this blog combined).

To remove Server, go to Global.asax, find/create the Application_PreSendRequestHeaders event and add the following (thanks to BK and this blog this will also not fail on Cassini / local dev):

Edited April 2014: You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        var application = sender as HttpApplication;
        if (application != null && application.Context != null)
        {
            application.Context.Response.Headers.Remove("Server");
        }
    }

To remove X-AspNet-Version, in the web.config find/create <system.web> and add:

  <system.web>
    <httpRuntime enableVersionHeader="false" />

    ...

To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:

  protected void Application_Start()
  {
      MvcHandler.DisableMvcResponseHeader = true;
  }

To remove X-Powered-By, in the web.config find/create <system.webServer> and add:

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>

    ...
Community
  • 1
  • 1
Nick Evans
  • 3,279
  • 2
  • 25
  • 21
  • According to hinting in VS, no need to null check Request, Response, or Response.Headers – Chris Haines May 22 '13 at 09:53
  • 1
    When used on IIS not Azure be aware that application pool has to be in Integrated mode. And .IsLocal should be removed when debugging locally. – IvanH Aug 16 '13 at 13:49
  • 5
    There's no need for "Yoda conditions" in C# - it doesn't allow assignment in a conditional, http://en.wikipedia.org/wiki/Yoda_Conditions – tvanfosson Aug 21 '13 at 22:20
  • Any known issues with this and [HttpCacheModule](http://blogs.msdn.com/b/asiatech/archive/2010/10/18/heap-corruption-in-httpcachemodule-while-you-try-to-remove-http-headers-in-your-custom-http-module.aspx). Can we use PostReleaseRequestState for this in global.asax? – felickz Nov 04 '13 at 03:55
  • 1
    Thanks for the detail answer ,however i did try and followed up the steps but each time i scan the site using asafweb, it still mentions an issue about the excessive header (X-AspNet-Version). I even used the URLRewrite to remove this header. Are they any other possibilities of removing it? – Raymond A Apr 25 '14 at 19:31
  • 4
    There is still the problem of requesting a non-existent file, e.g. "http://yoursite/foo.jpg". Since this request is not processed by MVC the response header "Server: IIS x.y" will still be there. One solution which works for Azure Web Sites (and apparently ONLY for azure web sites) is to add this under : – adrian h. Aug 12 '14 at 13:43
  • This all is good except that removing Server tag from code doesn't give you the desired result with content files like scripts, images. You to use web.config setting as prodived below. – drunkcamel Sep 23 '14 at 09:43
  • This new approach appears to remove the Microsoft-IIS/8.5 header!! – felickz Jun 30 '15 at 18:25
  • This solution works for IIS (ver 8) hosted apps. Instead of the code to remove the server header, I used the configuration attribute removeServerHeader. For more information: http://www.ozkary.com/2016/01/Remove-Unwanted-HTTP-Response-Headers.html – ozkary Jan 31 '16 at 23:21
  • @adrianh. try creating custom 404 for all kind of files. – Mukesh Agarwal Feb 28 '19 at 14:00
12

MSDN published this article on how to hide headers on Azure Websites. You can now hide the server from web.config by adding an entry to system.webServer

<security>
      <requestFiltering removeServerHeader ="true" />
</security>

VS will frown at the above as invalid though. The above link has code as pics, hard to find. MVC version is still hidden in application start as above, same for x-powered-by and .Net version.

derpasaurus
  • 397
  • 3
  • 13
AKhooli
  • 1,285
  • 1
  • 13
  • 11
  • 3
    This may work for Azure, but not anywhere else. The comments on that article confimn this, as does my own testing. The answer by @giveme5minutes is the way that works. – CrazyPyro Mar 16 '15 at 17:29
  • Would be nice to know what was implemented to make this function :| Especially since URL SCAN previously implemented this out of the box. – felickz Jun 30 '15 at 15:09
6

There's also a package on NuGet that helps you achieve this through a few lines of config and no changes to code: NWebsec. The docs on removing version headers can be found here: https://github.com/NWebsec/NWebsec/wiki/Suppressing-version-headers

It's demoed here: http://www.nwebsec.com/HttpHeaders/VersionHeaders (in Azure)

Disclaimer: I'm the developer on the project.

klings
  • 963
  • 6
  • 12
  • "NWebsec helps you suppress almost all of these version headers, i.e. all but the Server: Microsoft-IIS/8.0 header." :( https://github.com/NWebsec/NWebsec/wiki/Suppressing-version-headers – felickz Jun 30 '15 at 13:14
  • It moved from codeplex to GitHub (please update link https://github.com/NWebsec/NWebsec/wiki ) – Nordes Aug 06 '15 at 13:56
6

Nick Evans' answer is perfect, but...

If you remove these headers for a security purpose, don't forget to change the ASP.NET Session coockie name ! Because it is easier to guess the language used or the server version when you see this :

enter image description here

To change the cookie name: (be creative)

<system.web>
  <sessionState cookieName="PHPSESSID" />
</system.web>
Matthieu Charbonnier
  • 2,794
  • 25
  • 33
  • Changing the cookie name has more benefits than just server technology exposure - e.g. reduces the risk of generic, bulk session harvesting – mlhDev Oct 10 '19 at 15:07
4

Rolling up the previous answers from @giveme5minutes and @AKhooli as they relate to Azure Websites plus a few other items the scanner wants to see, these are the changes that I made to make ASafaWeb happy with an Azure site.

It still complains about the Azure affinity header cookie not being https only but affinity is the type of cookie you do want replayed anyway, right?

<system.web>
    <compilation debug="false">
    <httpRuntime enableVersionHeader="false" />
    <httpCookies httpOnlyCookies="true" requireSSL="true" />    
    <customErrors mode="RemoteOnly" defaultRedirect="~/Error.aspx" />
</system.web>

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="X-Frame-Options" value="DENY" />
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    <security>
      <!--removes Azure headers-->
      <requestFiltering removeServerHeader="true" />
    </security>
</system.webServer>
Timothy Lee Russell
  • 3,719
  • 1
  • 35
  • 43