Remove sensitive Headers from Azure PaaS hosted Websites

Question

If you follow this article Azure Blog, you can remove the Server, X-Powered-By and MVC version which is great.

You can also achieve similar with a custom IIS module with the following method:

private void OnPreSendRequestHeaders(object sender, EventArgs e)
{
   HttpContext.Current?.Response.Headers.Remove("Server");
   HttpContext.Current?.Response.Headers.Remove("X-AspNet-Version");
   HttpContext.Current?.Response.Headers.Remove("X-AspNetMvc-Version");
   HttpContext.Current?.Response.Headers.Remove("X-Powered-By");
}

However, if you send the following query string:

https://yourAppService.azurewebsites.net/test.txt:

You manage to avoid all the steps you've taken to avoid sending the headers you are trying to keep away from potential hackers.

Sample Request:

Sample Response:

Is there a way to completely remove these headers from ALL responses, and not just requests the app manages to handle gracefully? I have managed to remove the headers from 99% of responses, but not all!

UPDATE:

I have also found if you use PostMan to send a GET request to

https://yourSite.azurewebsites.net/400errortest%00

you get

UPDATE:

The request to /test.txt: was reported fixed by MS on the 26th June 2017. I can confirm it is fixed for this scenario.

Requests to https://yourSite.azurewebsites.net/400errortest%00 via PostMan still return a Server Header which is not great.

Answer 1

If we use the url end with : to visit the azure website that we will get 500 error, the default action should be 404 error. Azure team opened an internal bug and plan to fix it.