5

As a part of security configuration, we should not be revealing the "Server" variable and other variables in the Header Response. How can I remove these variables for a ColdFusion server hosted on IIS?

Community
  • 1
  • 1
Vishwas S L
  • 169
  • 1
  • 8

1 Answers1

6
  1. Download and Install "URL rewrite" from https://www.iis.net/downloads/microsoft/url-rewrite
  2. Go to the configured Jakarta folder and add a web.config here. To add a URL rewrite outbound rule to the "Jakarta" virtual directory, we need a web.config. The web.config should have an outbound rule and the variable removal rules mentioned below.

  3. Add an outbound rule to web.config, for erasing the server header response value and set it to blank. 

    <system.webServer>
    <outboundRules>
      <rule name="Remove Server">
        <match serverVariable="RESPONSE_SERVER" pattern=".*" />
        <action type="Rewrite" />
      </rule>
    </outboundRules>
  </rewrite>
</system.webServer>

  4. For server tag value removal for all static files like .css/.js files, add this to web.config:

    <configuration>
  <modules runAllManagedModulesForAllRequests="true">
</configuration>`

  5. Add the code below to web.config for removal of X-Powered-By and X-AspNet-Version

    <configuration>
 <httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
    <remove name="Server" />
    <remove name="X-AspNet-Version" />
  </customHeaders>
 </httpProtocol>
</configuration>

  6. Convert PortalTools from virtual directory to Application and add the same web.config to the PortalTools folder as well.

rrk
  • 15,677
  • 4
  • 29
  • 45
Vishwas S L
  • 169
  • 1
  • 8
  • 2
    Just a note that if you edit this setting via the IIS Manager, it just creates / updates the related ``web.config`. Try and keep this file in source control since it will be in the root of the site anyway. – Adrian J. Moreno Aug 13 '18 at 15:05