Remove Server Information, .Net and MVC Information From Response Header

In order to prevent information leak findings such as identified server and .NET version in the response of the web server like below, there are some actions to be taken.

Especially while hosting an application in Azure as a webapp, owners are unable to configure settings in IIS level and server OS level. To remove excessive headers in ASP.NET MVC like;

Server: Microsoft-IIS/10.0

X-AspNetMvc-Version: 5.2

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

steps shown below can be done.

1-) Remove Server Header

Server: Microsoft-IIS/10.0

Add the following requestFiltering element under <system.webServer> to your project’s Web.config:

(maxAllowedContentLength is not required, it is just a sample to show how more than one setting can be defined in web.config)

<security>

<requestFiltering removeServerHeader=”true”>

<requestLimits maxAllowedContentLength=”200000000″ />

</requestFiltering>

</security>

Or in IIS 7, 7.5, 8.0, 8.5 rewrite element can be added under <system.webServer> like below.

<system.webServer>

<rewrite>

<outboundRules rewriteBeforeCache=”true”>

<rule name=”Remove Server header”>

<match serverVariable=”RESPONSE_Server” pattern=”.+” />

<action type=”Rewrite” value=”” />

</rule>

</outboundRules>

</rewrite>

<system.webServer/>

2-) Remove ASP.NET MVC Version

X-AspNetMvc-Version: 3.0

Global.asax.cs file must be edited and following code should be added to Application_Start method:

protected void Application_Start(object sender, EventArgs e)

{

MvcHandler.DisableMvcResponseHeader = true;

// RegisterRoutes etc… and other stuff

}

3-) Remove ASP.NET Version

X-AspNet-Version: 4.0.30319

enableVersionHeader=”false” element must be added to httpRuntime settings under <system.web> in web.config:

<httpRuntime maxRequestLength=”61440″ executionTimeout=”3600″ enableVersionHeader=”false”/>

4-) Remove Powered By ASP.NET

X-Powered-By: ASP.NET

remove name=”X-Powered-By” element must be added to customHeaders of httpProtocol under <system.webServer>

<customHeaders>

<clear/>

<add name=”X-Frame-Options” value=”ALLOW-FROM https://www.*********.com ” />

<!–<add name=”X-Frame-Options” value=”SAMEORIGIN” />–>

    <add name=”Strict-Transport-Security” value=”max-age=31536000″ />

<add name=”Content-Security-Policy” value=”default-src * ‘unsafe-inline’ ‘unsafe-eval’;” />

        <remove name=”X-Powered-By” />

</customHeaders>

After having completed above configurations it can be tested if headers are in the response via http://browserspy.dk/webserver.php/webserver.php

Leave a Reply

Your email address will not be published. Required fields are marked *