Removing / hiding the Http Headers

Question

By referring the below forum

Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan

I could easily hide the http headers like server information but still i'm getting below informtaion.

Is there a possibility to hide Allow and Public methods in the headers? Please share

HTTP/1.1 200 OK
**Allow: OPTIONS, TRACE, GET, HEAD, POST**
Date: Thu, 09 Jan 2014 09:37:00 GMT
**Public: OPTIONS, TRACE, GET, HEAD, POST**
Content-Length: 0
Connection: keep-alive

OPTIONS /Main.aspx HTTP/1.1 Host: mywebsite.com Content-Length: 2 — Sankar M, Jan 09 '14 at 09:50
Returning which methods are allowed on the given resource is the sole purpose of the OPTIONS request. If you remove those headers from that response, the response becomes meaningless. — CodeCaster, Jan 09 '14 at 09:51
@CodeCaster the above request gives the response...IS there any way to do? — Sankar M, Jan 09 '14 at 09:52
If that so... it is okay... we need to avoid others to analyze our server.. — Sankar M, Jan 09 '14 at 09:54

score 0 · Answer 1 · edited May 23 '17 at 12:13

0

Like I said in my comments, you don't want to remove those headers from a response to an OPTIONS request, because that request asks the server what other methods can be called on the given resource, in this case /Main.aspx.

The response contains the allowed methods in the Allow and Public headers. If you remove those headers, the response becomes meaningless.

If you want to disable the OPTIONS request altogether, see Disable HTTP OPTIONS, TRACE, HEAD, COPY and UNLOCK methods in IIS.

edited May 23 '17 at 12:13

Community

1
1

answered Jan 09 '14 at 09:57

CodeCaster

147,647
23
218
272

will they Block POST option because i need this verb.... i don't want explicitly declare that our system uses POST and allows. Please give me clarity on this... – Sankar M Jan 09 '14 at 10:09
Will who do what now? – CodeCaster Jan 09 '14 at 10:10
And I didn't understand yours. :-) What do you mean? If you click the link, you see you can disable specicic verbs, so you can prevent only the `OPTIONS` request to be processed altogether. – CodeCaster Jan 09 '14 at 10:14
by adding these in config? – Sankar M Jan 09 '14 at 10:18
That config forces the verbs or methods `OPTIONS`, `TRACE` and `HEAD` to run through the default HTTP handler. Then you also need `` (and other verbs you want to disable) in the `authorization` section in `system.web`. – CodeCaster Jan 09 '14 at 10:23
I added this in config it throws me 500 internal server error why? – Sankar M Jan 09 '14 at 10:36
500 server error has been resolved but still option method is allowed!!! i could see the response with Allow and Public HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET, HEAD, POST Date: Thu, 09 Jan 2014 12:25:10 GMT Public: OPTIONS, TRACE, GET, HEAD, POST Server: Microsoft-IIS/7.5 Content-Length: 0 Connection: keep-alive – Sankar M Jan 09 '14 at 12:26

score -1 · Answer 2 · edited Mar 17 '14 at 18:54

-1

Headers should be hidden anyway... Not quite sure what's happening here. Have you refreshed the main reference file.

edited Mar 17 '14 at 18:54

Selman Genç

100,147
13
119
184

answered Jan 09 '14 at 09:50

user3176943

35
2
2
3

Removing / hiding the Http Headers

2 Answers2