How can I remove/hide/disable excessive HTTP response headers in Azure/IIS7 without having to use UrlScan?

0 votes

I have to remove the excessive headers in order to pass the penetration testing. I have checked different solutions which involves running UrlScan, which inturn are tideous as UrlScan needs to be installed every time an Azure instance is run!

Can anyone assure me about any way that exists without having to deploy installers from startup.cmd.

I know that response headers are added at different places:

  • Server: added by IIS.
  • X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
  • X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll.
  • X-Powered-By: added by IIS

Is there any way to configure (via web.config etc.?) IIS7 to remove/hide/disable the HTTP response headers to avoid the "Excessive Headers" warning at asafaweb.com, without creating an IIS module or deploying installers which need to be run each time an Azure instance starts?

May 21, 2018 in Azure by null_void
• 3,220 points
367 views

1 answer to this question.

0 votes

MSDN published an article on how to hide headers on Azure Websites. You can now hide the server from web.config by adding an entry to system.webServer :

<security>
      <requestFiltering removeServerHeader ="true" />
</security>

VS will frown at the above as invalid though. The above link has code as pics, hard to find. MVC version is still hidden in application start as above, same for x-powered-by and .Net version.

answered May 21, 2018 by club_seesharp
• 3,450 points

Related Questions In Azure

0 votes
2 answers

How can I view the deployed files in Azure?

In Visual Studio, in the window "Server ...READ MORE

answered Aug 21, 2018 in Azure by Priyaj
• 56,160 points
191 views
0 votes
2 answers

How can I add database connection string to Azure Functions?

The best way to do this is ...READ MORE

answered Aug 17, 2018 in Azure by Priyaj
• 56,160 points
2,416 views
0 votes
1 answer

How can i upload to Azure Blob storage with Shared Access key?

For GetBlobReferenceFromServer to work, the blob must be present ...READ MORE

answered Jun 12, 2018 in Azure by club_seesharp
• 3,450 points
610 views
0 votes
1 answer

Azure Blob: How to open a file in browser without downloading it?

First, because I was using a byte[] the controller ...READ MORE

answered Jun 20, 2018 in Azure by club_seesharp
• 3,450 points
2,287 views
0 votes
1 answer

How can I copy SQL Azure database to a local development server?

There are certain ways to do this: Using SSIS ...READ MORE

answered Jun 26, 2018 in Azure by null_void
• 3,220 points
41 views
0 votes
1 answer

How can I use “Azure File Storage” with Web App Service?

If you're looking for mapping a drive ...READ MORE

answered Aug 10, 2018 in Azure by null_void
• 3,220 points
1,002 views
0 votes
1 answer
0 votes
2 answers
0 votes
2 answers

Can I Login without prompt in Azure?

You can use -Credential parameter, and DPAPI to login. First, ...READ MORE

answered Aug 17, 2018 in Azure by Priyaj
• 56,160 points
1,017 views
0 votes
2 answers

How can I download a .vhd image to my local machine from azure and upload the same to a different azure account?

From the Windows Azure Portal you can ...READ MORE

answered Aug 20, 2018 in Azure by Priyaj
• 56,160 points
1,138 views