4

Stuck with really weird problem and can't figure out how to handle it. So, I have asp web api application hosted in IIS 10. I use IIS Rewrite module with outbound rule which removes any Server header:

  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_SERVER" pattern=".*" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>

It works like a charm always, except case when I send request using DEBUG verb. In this case it returns Server header and response body stating that debug is not implemented. I tried to fix that by using the next setting:

<security>
  <requestFiltering removeServerHeader="true" >
    <verbs allowUnlisted="true">
      <clear/>
      <add verb="DEBUG" allowed="false"/>
    </verbs>
  </requestFiltering>
</security>

Btw, requestFiltering removeServerHeader="true" also removes Server header (in case when IIS Rewrite is disabled). Again, in all cases, except DEBUG request. Disallowing DEBUG technically gives me nothing as well, I no longer getting body of request, but still getting Server header with my server info. I also tried custom modules and also with no luck.

What else I can do to hide Server variable for DEBUG requests?

Igor V Savchenko
  • 141
  • 2

1 Answers1

0

ASP.NET has a web.config used for setting DEBUG status for a site. The sample would look like this in the web.config file.

Since ASP.NET may have different site paths, you need to ensure each of the web.configs are properly set.

<system.web>
     <compilation debug="true">
     </compilation>
</system.web>

This is used for debugging purposes, but could be exploited if not carefully managed.

The reference for this is: Site Behavior - Application Debugging

I hope this helps. Regards,

Ray Porrata
  • 1
  • 1