The purpose of this blog post is to discuss how to remove unwanted HTTP response headers from the response. Typically we have 3 response headers which many people want to remove for security reason.
- Server – Specifies web server version.
- X-Powered-By – Indicates that the website is “powered by ASP.NET.”
- X-AspNet-Version – Specifies the version of ASP.NET used.
Before you go any further, you should evaluate whether or not you need to remove these headers. If you have decided to remove these headers because of a security scan on your site, you may want to read the following blog post by David Wang. 继续阅读
It is amazing technique to remove any information from response header about IIS server is very scarce online. So I decide to blog this.
The reason why you would want this is because you would not want to readily disclose what version of server or what server you are running. For example see blow response header I gathered from one of the site running IIS:
Notice that you have information about Server, X-AspNet-Version, X-Powered-By. There are enough information to know it is running on IIS. Why hide these info? Because why if certain version of IIS server had security hole that the hacker can expose? Sometimes, in Enterprise environment there will be external third party security firms like WhiteHat tagging such exploits so you have to fix. 继续阅读