Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan

asp.net iis-7 azure penetration-testing response-headers
Nick Evans picture Nick Evans · Oct 9, 2012 · Viewed 43.8k times · Source

I need to remove excessive headers (primarily to pass penetration testing). I have spent time looking at solutions that involve running UrlScan, but these are cumbersome as UrlScan needs to be installed each time an Azure instance is started.

There must be a good solution for Azure that does not involve deploying installers from startup.cmd.

I understand that the response headers are added in different places:

  • Server: added by IIS.
  • X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
  • X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll.
  • X-Powered-By: added by IIS

Is there any way to configure (via web.config etc.?) IIS7 to remove/hide/disable the HTTP response headers to avoid the "Excessive Headers" warning at asafaweb.com, without creating an IIS module or deploying installers which need to be run each time an Azure instance starts?

Answer

Nick Evans picture Nick Evans · Oct 9, 2012

The following changes allow you to remove these HTTP response headers in Azure without writing a custom HttpModule.

Most of the information on the net is out of date, and involves UrlScan (which has since been integrated into IIS7, but with the RemoveServerHeader=1 option removed). Below is the neatest solution I've found (thanks to this blog, this answer, and this blog combined).

To remove Server, go to Global.asax, find/create the Application_PreSendRequestHeaders event and add the following (thanks to BK and this blog this will also not fail on Cassini / local dev):

Edited April 2014: You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        var application = sender as HttpApplication;
        if (application != null && application.Context != null)
        {
            application.Context.Response.Headers.Remove("Server");
        }
    }

To remove X-AspNet-Version, in the web.config find/create <system.web> and add:

  <system.web>
    <httpRuntime enableVersionHeader="false" />

    ...

To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:

  protected void Application_Start()
  {
      MvcHandler.DisableMvcResponseHeader = true;
  }

To remove X-Powered-By, in the web.config find/create <system.webServer> and add:

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>

    ...

Related questions

IIS 500.19 with 0x80070005 The requested page cannot be accessed because the related configuration data for the page is invalid error

I want to upload my own asp.net website on IIS with IIS Manager. But when I do this, I get the following error HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration …

Read More
How do I resolve "HTTP Error 500.19 - Internal Server Error" on IIS7.0

What causes this error, how can I fix it? Detailed Error Information Module IIS Web Core Notification BeginRequest Handler Not yet determined Error Code 0x8007052e Config Error Can not log on locally to C:\inetpub\wwwroot as user administrator …

Read More
Cannot read configuration file due to insufficient permissions

I've recently encountered an error trying to host my asp.net site with IIS. I have found a solution that many swear by. Solution: Add IIS_IUSRS with Read permission on files in the folder Change IIS authentication method to …

Read More