I will show you the less hacky ones first. I.e. the ones where it is designed for you to remove them easily:
X-AspNet-Version
This can be removed simply using the enableVersionHeader attribute of the httpRuntime section of system.web section of your web.config:<system.web> <httpRuntime enableVersionHeader="false" /> <!-- other settings --> </system.web>
X-AspNetMvc-Version
In your Global.asax.cs you can add the following to your Application_Start method:protected void Application_Start(object sender, EventArgs e) { MvcHandler.DisableMvcResponseHeader = true; // RegisterRoutes etc... and other stuff }
X-Powered-By
Instead of removing this I have decided to change it to something different so as not to cause suspicion to a potential hacker:<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By"/> <add name="X-Powered-By" value="PHP 5.2 Ubuntu"/> </customHeaders> </httpProtocol> <!-- other stuff --> </system.webServer>
Server
This one is harder since you can't actually do it anywhere else. Of course you could have changed all the other Headers here too but it feels messy doing it this way so I opted to change the others using the intended way.First, make an HttpModule (essentially a class inheriting from IHttpModule) like this:
namespace HttpModules { public class SecurityModule : IHttpModule { public void Dispose() { //intentionally do nothing } public void Init(HttpApplication context) { context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders); } private void context_PreSendRequestHeaders(object sender, EventArgs e) { var context = ((HttpApplication)sender).Context; context.Response.Headers.Set("Server", "Apache 2.0"); } } }Note: I have gone for lying about the server over removing it (which is also possible) since I'd rather fool hackers than annoy them.
Next you just need to register that module in your web.config:
<system.webServer> <modules> <add name="SecurityModule" type="HttpModules.SecurityModule, HttpModules" /> </modules> </system.webServer>
Now use Fiddler to have a look at your Response Headers. Hopefully wonderfully deceptive like this:
If you have more to remove/change you can do it in much the same way as X-Powered-By (using web.config) or if not the Server one (using the Security HttpModule).
Good info about getting rid of these headers--especially the MVC header. I have decided that sending faked headers ("Apache 2.0") is unproductive. There are plenty of other hints for anyone knowledgeable to figure out you are running IIS/ASP.NET. The best reason to alter headers is to simple eliminate wasted bandwidth by removing them. IIS is very solid and I find no real reason to masquerade it.
ReplyDeleteYeah, you're probably right that pretending to be something else wouldn't fool anyone (but would fool any robots that are string matching these headers).
ReplyDeleteI've since changed them to remove the server name, give a brief description of the tech stack AND there's even a job ad in there too for such advanced devs ;) http://www.lovemoney.com
not working in IIS-6
ReplyDeleteThe security conscious developer knows that security through obfuscation isn't security, and instead they should keep IIS patched up regularly with Windows Update. ;)
ReplyDeletehttp://www.iis.net/learn/extensions/url-rewrite-module/modifying-http-response-headers
ReplyDeleteVery helpful post.Thanks for your information! Keep sharing.
ReplyDeleteerp software in chennai | erp providers in chennai | online events registration
nformative and impressive. Keep Updating
ReplyDeleteProgrammierung in Lüdenscheid
Very useful information and thanks for sharing. Call Of Mini: Zombies Mod Apk
ReplyDelete