Hide IIS server info in a resposne

Hide server info in ASP.NET with simple web.config setting

  • Share

Last year I wrote an article about ASP.NET web application security check list. Apparently there are always more things to add to improve your web application security. The following is the one.

I had a report from one of the clients that the website is revealing the platform, to be more precise the type of the server where it is hosted. The first thing I checked is the X-powered-By header value in web.config.

<configuration> 
	<system.webServer>
		<httpProtocol>
			<customHeaders>
				<removename="X-Powered-By"/>
			</customHeaders>
		</httpProtocol>
	</system.webServer>
</configuration> 
    

On my surprise the key value was there, so the ASP.NET info was not returned back in a response. In addition I run Acunetix website security check tool. Even before the test started my IIS version was recognized by the tool.

Although I do not think it i a great security breach, it certainty provides some info that is probably not necessary for the browser and on the other hand can provide hackers the info on which type of server to focus on during the attack.

After some time spent Google-ing on the Internet I found that most of the articles require certain changes on the server machine. This is fine in case you have a full access to web server or your admin is comfortable with making these changes. In both of the cases it is something that my impact other websites hosted on the sever and it was not good enough for me. I wont even mention that is is impossible in case you run a small website on a shared host.

So I needed something else, something that can be done though config on in end case scenario through code change.

The easiest way would be to handle every request through HttpModule and strip header values,but this would require both web.config changes and code changes as well.

public class HeaderRemoveModule : IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.PreSendRequestHeaders  = (sender, args) => HttpContext.Current.Response.Headers.Remove("Server");
    }

    public void Dispose(){}
}
    
<system.webServer>
  <modules>
      <add name="HeaderRemoveModule" type="ResonseHeaders.HeaderRemoveModule" />
  </modules>
</system.webServer>
    

This is a good way to handle all of your header values. All you need is to list and remove all the header keys you do not want in a response. However for my case this was not an option because the running app was already too old and making any change in code would be opening of Pandora's box.

In the end I found a lot simpler solution which requires only web.config change.

<system.webServer>
  <rewrite>
      <outboundRules>
        <rule name="Remove RESPONSE_Server" >
          <match serverVariable="RESPONSE_Server" pattern=".+" />
          <action type="Rewrite" value="" />
        </rule>
      </outboundRules>      
  </rewrite>
</system.webServer>
    
Note

This web.config setting equires you to have UrlRewriter module installed on your IIS server. Most of the hosts have this already pre-installed on their IIS servers http://www.iis.net/downloads/microsoft/url-rewrite

To test things after you make a change you can use some of the free tools like

or simply install some of the available add-ons for your Firefox or Chrome browser like

  • Share

Disclaimer

Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.

Comments for this article

comments powered by Disqus