How can I remove excessive response header information from Azure Web-Apps?

Question

I have an MVC project that I deploy on Azure Web-Apps. I'm trying to remove the excessive header information. The reason I'm trying to remove this information is because it's a standard security practice. ( Reference )

I'm trying to remove the below information from response headers:

Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-POWERED-BY: PHP/5.4.38
X-POWERED-BY: ASP.NET

I have the following code in my Global.asax.cs file:

protected void Application_PreSendRequestHeaders()
{
    Response.Headers.Remove("Server");
    Response.Headers.Remove("X-AspNet-Version");
    Response.Headers.Remove("X-AspNetMvc-Version");
}

But it's not effecting the result.

Answer 1

Try this instead:

 protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
     HttpContext.Current.Response.Headers.Remove("Server");
     HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
     HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
 }

Additionally, in the Application_Start call it with the following instruction

PreSendRequestHeaders += Application_PreSendRequestHeaders;

To remove X-AspNet-Version, in the web.config find/create and add:

<system.web>
    <httpRuntime enableVersionHeader="false" />
    ...
</system.web>

To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:

protected void Application_Start() {
    MvcHandler.DisableMvcResponseHeader = true;
}

To remove X-Powered-By, in the web.config find/create and add:

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    ...
</system.webServer>

You should be able to force all requests to go through your managed code by adding this to your webconfig:

<modules runAllManagedModulesForAllRequests="true">

Even static files and not-found resources should obey your header rules.

References:

• http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html

• http://consultingblogs.emc.com/howardvanrooijen/archive/2009/08/25/cloaking-your-asp-net-mvc-web-application-on-iis-7.aspx

Answer 2

Don't use code to remove response headers. It is unstable according Microsoft

Use the Web.config custom Headers section instead as defined here :

    <system.webServer>          
        <httpProtocol>
        <!-- Security Hardening of HTTP response headers -->
        <customHeaders>
            <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent 
                    Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
            <add name="X-Content-Type-Options" value="nosniff" />

            <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. 
                     By preventing a browser from framing your site you can defend against attacks like clickjacking. 
                     Recommended value "x-frame-options: SAMEORIGIN" -->
            <add name="X-Frame-Options" value="SAMEORIGIN" />

            <!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that 
                     they should only read the master crossdomain.xml file from the root of the website. 
                     https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
            <add name="X-Permitted-Cross-Domain-Policies" value="master-only" />

            <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. 
                     Recommended value "X-XSS-Protection: 1; mode=block". -->
            <add name="X-Xss-Protection" value="1; mode=block" />

            <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. 
                     If you have sensitive information in your URLs, you don't want to forward to other domains 
                     https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
            <add name="Referrer-Policy" value="no-referrer-when-downgrade" />

            <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
            <remove name="X-Powered-By" />

            <!-- Set the cache-control per your Security settings (will affect performance) -->
            <add name="Cache-Control" value="No-cache" />
        </customHeaders>
    </httpProtocol>

    <!-- Prerequisite for the <rewrite> section
                Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
    <rewrite>
        <!-- Remove Server response headers (OWASP Security Measure) -->
        <outboundRules rewriteBeforeCache="true">
            <rule name="Remove Server header">
                <match serverVariable="RESPONSE_Server" pattern=".+" />

                <!-- Use custom value for the Server info -->
                <action type="Rewrite" value="Your Custom Value Here." />
            </rule>
        </outboundRules>
    </rewrite>
</system.webServer>