1

I have a VueJs application hosted on Azure which is returning the following information when the application url is scanned using NMap. How do I prevent the highlighted information from being returned?

enter image description here

I already have the following in the Web.Config file for the VueJs application (inside the public folder):

<configuration>
  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

Is there anything that I'm missing?

Nimish David Mathew
  • 2,958
  • 6
  • 29
  • 45
  • Remove the X-Powered-By: ASP.NET header. Under tag , Add – Harshitha Veeramalla Jan 22 '22 at 08:30
  • Those are for removing HTTP headers right? Are the highlighted ones actually HTTP headers? – Nimish David Mathew Jan 23 '22 at 10:38
  • To remove **Server Header** from the response, 1. **Using the Registry key**. Create a DWORD entry called **DisableServerHeader** in the following Registry key and set the value to **1**. HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters After adding the Registry key, restart the HTTP service using the _net stop http_ command and the _net start http_ command. – Harshitha Veeramalla Jan 27 '22 at 08:02
  • Please refer [Remove Unwanted HTTP Response Headers](https://learn.microsoft.com/en-us/archive/blogs/varunm/remove-unwanted-http-response-headers) , [SO thread](https://stackoverflow.com/a/14615862) and [this](https://stackoverflow.com/a/43796068) for more information. – Harshitha Veeramalla Jan 27 '22 at 08:03
  • Add in web.config , it will force all requests to go through your managed code. – Harshitha Veeramalla Jan 27 '22 at 08:14

1 Answers1

0

We have a feature request on this. Kindly upvote this request: remove server header from the front end servers

Our product engineering has been evaluating the feature request (or / for any short-term possibilities), however there is no concrete info/ETA to share.

Just to highlight on the alternate solution(s):

1.If your requirements fits, you may leverage App Gateway - It has the capability to completely remove the “Server” response header from responses and will not reveal even the server version of the proxy itself. The security scans will be successful at this point.

2.App Gateway is a regional service capable of hosting upto 100 endpoints. It would be one App Gateway per region per 100 sites behind the reverse proxy.

--Depending the scenario/requirement -Although I certainly understand this alone costs overhead and maintenance effort and may not be a suitable option for every case.

--Additionally - It is not currently possible to implement a custom error page instead of the default “Azure 404” or similar pages. Feature request for custom 403 or 503 - please consider to up-vote this feature request.

Kindly be assured that, I have relayed your feedback to our product engineering team. Thanks for your patience!

AjayKumar
  • 2,812
  • 1
  • 9
  • 28
  • Can you please share some document which provide details on how to remove server headers using app gateway – SharmaPattar Jan 31 '22 at 11:18
  • Thanks for the follow-up. Kindly take a look a this doc - https://learn.microsoft.com/azure/application-gateway/rewrite-http-headers-url – AjayKumar Jan 31 '22 at 20:38