Back

Explore Courses Blog Tutorials Interview Questions
+1 vote
1 view
in Azure by (45.3k points)

I need to remove excessive headers (primarily to pass penetration testing). I have spent time looking at solutions that involve running UrlScan, but these are cumbersome as UrlScan needs to be installed each time an Azure instance is started.

There must be a good solution for Azure that does not involve deploying installers from startup.cmd.

I understand that the response headers are added in different places:

  • Server: added by IIS.
  • X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
  • X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll.
  • X-Powered-By: added by IIS

Is there any way to configure (via web.config etc.?) IIS7 to remove/hide/disable the HTTP response headers to avoid the "Excessive Headers" warning at asafaweb.com, without creating an IIS module or deploying installers which need to be run each time an Azure instance starts?

1 Answer

+2 votes
by (16.8k points)
edited by

You can easily hide the server from web.config by adding an entry to system.webServer

Are you interested in learning Azure from basics! Here's the right video for you on Azure provided by Intellipaat:

<security>

      <requestFiltering removeServerHeader ="true" />

</security>

Please check this article for an in-depth go. 

MSDN ARTICLE

Browse Categories

...