All geek questions in one place

How to remove redundant response header information from Azure Web-Apps?

I have an MVC project that I am deploying to Azure Web-Apps. I am trying to remove redundant header information. The reason I'm trying to delete this information is because it is standard security practice. ( Link )

I am trying to remove the following information from the response headers:

Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 X-POWERED-BY: PHP/5.4.38 X-POWERED-BY: ASP.NET

I have the following code in the Global.asax.cs file:

 protected void Application_PreSendRequestHeaders() { Response.Headers.Remove("Server"); Response.Headers.Remove("X-AspNet-Version"); Response.Headers.Remove("X-AspNetMvc-Version"); }

But this does not affect the result.

+10
source share
2 answers

Try this instead:

  protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { HttpContext.Current.Response.Headers.Remove("Server"); HttpContext.Current.Response.Headers.Remove("X-AspNet-Version"); HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version"); }

Also, in Application_Start, call it with the following statement

 PreSendRequestHeaders += Application_PreSendRequestHeaders;

To remove the X-AspNet version, in web.config find / create and add:

 <system.web> <httpRuntime enableVersionHeader="false" /> ... </system.web>

To remove the X-AspNetMvc version, go to Global.asax, find / create an Application_Start event and add the line as follows:

 protected void Application_Start() { MvcHandler.DisableMvcResponseHeader = true; }

To remove X-Powered-By, in web.config find / create and add:

 <system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> ... </system.webServer>

You can force all requests to go through managed code by adding this to your webconfig:

 <modules runAllManagedModulesForAllRequests="true">

Even static files and unused resources must obey your header rules.

Literature:

+13
source

Do not use code to remove response headers. Unstable according to Microsoft

Instead, use the custom Web.config header section, as defined here :

  <system.webServer> <httpProtocol> <!-- Security Hardening of HTTP response headers --> <customHeaders> <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type. --> <add name="X-Content-Type-Options" value="nosniff" /> <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN" --> <add name="X-Frame-Options" value="SAMEORIGIN" /> <!-- Setting X-Permitted-Cross-Domain-Policies header to "master-only" will instruct Flash and PDF files that they should only read the master crossdomain.xml file from the root of the website. https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html --> <add name="X-Permitted-Cross-Domain-Policies" value="master-only" /> <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block". --> <add name="X-Xss-Protection" value="1; mode=block" /> <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. If you have sensitive information in your URLs, you don't want to forward to other domains https://scotthelme.co.uk/a-new-security-header-referrer-policy/ --> <add name="Referrer-Policy" value="no-referrer-when-downgrade" /> <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration --> <remove name="X-Powered-By" /> <!-- Set the cache-control per your Security settings (will affect performance) --> <add name="Cache-Control" value="No-cache" /> </customHeaders> </httpProtocol> <!-- Prerequisite for the <rewrite> section Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite --> <rewrite> <!-- Remove Server response headers (OWASP Security Measure) --> <outboundRules rewriteBeforeCache="true"> <rule name="Remove Server header"> <match serverVariable="RESPONSE_Server" pattern=".+" /> <!-- Use custom value for the Server info --> <action type="Rewrite" value="Your Custom Value Here." /> </rule> </outboundRules> </rewrite> </system.webServer>
+3
source

Source: https://habr.com/ru/post/984776/

More articles:


All Articles