4

For security I want to remove any HTTP headers that reveals details about the OS, Web Server or Framework that my application is running. I was able to remove all from displaying locally with IIS Express using the articles found on SO and elsewhere. Unfortunately when I published to my Azure Web Site preview, three headers remained:

  1. Server: Microsoft-IIS/7.5
  2. X-Powered-By: ARR/2.5
  3. X-Powered-By: ASP.NET

The articles I'm finding are for Azure Web Roles instead of Web Site Preview, such as this one.

Does anyone know how to remove from Web Site Preview?

Josh
  • 8,219
  • 13
  • 76
  • 123

3 Answers3

7

Windows Azure Websites are shared infrastructure and you do not have access to configure IIS as you do in a Web Role. As you have correctly pointed out you could remove these headers:

  • X-AspNet-Version
  • X-AspNetMvc-Version

but are left with the following:

  • Server: Microsoft-IIS/7.5
  • X-Powered-By: ARR/2.5
  • X-Powered-By: ASP.NET

Even if you implement all the necessary steps to suppress these headers you will see from my blog post that illegal requests will be handled by HTTP.SYS at the kernel level which will return the Microsoft-HTTPAPI/2.0 header. You need to edit the registry to remove this header.

The conclusion is that if you want ultimate control of IIS and HTTP.SYS you will need to host your website in a non-shared infrastructure. So your option is a Web Role in a Windows Azure Cloud Service.

Paul Bouwer
  • 111
  • 1
  • Thanks Paul. That is the conclusion I came to, but good to have validation. BTW, I tried to get the Microsoft-HTTPAPI/2.0 server response using less than symbol at the end of the URL but could get it to return. I received HTTP/1.1 400 Bad Request message with Server: Microsoft-IIS/7.5. – Josh Jan 30 '13 at 23:59
  • I see that the **Microsoft-HTTPAPI/2.0** header is not coming through when deployed to Azure Websites. Not sure if it's something to do with IIS 7.5 vs 8.0 or if IIS on the shared infrastructure is sanitizing the header. – Paul Bouwer Jan 31 '13 at 01:55
3

This is now possible. See also Remove Server Response Header IIS7

ahong
  • 1,041
  • 2
  • 10
  • 22
Jeff Moser
  • 19,727
  • 6
  • 65
  • 85
0

Check this thread How to remove ASP.Net MVC Default HTTP Headers? and not only the main response, but also the responses below.

Community
  • 1
  • 1
Igorek
  • 15,716
  • 3
  • 54
  • 92
  • 1
    I've applied those settings, which works in IIS Express locally, but Azure Web Site preview still displays in the header. – Josh Jan 30 '13 at 15:29