find a location for property in a new city

Thursday, 12 August 2010

Remove HTTP response headers to hide your framework

There are a number of infrastructure details that are passed with your HTTP response headers when serving a page. The security conscious developers out there will be aware that hackers and other malicious people will enjoy learning that information to target their exploits for that framework. If you want to remove the HTTP response headers of Server, X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version or any others I will show you how.

I will show you the less hacky ones first. I.e. the ones where it is designed for you to remove them easily:

X-AspNet-Version

This can be removed simply using the enableVersionHeader attribute of the httpRuntime section of system.web section of your web.config:
<system.web>
  <httpRuntime enableVersionHeader="false" />
  <!-- other settings -->
</system.web>

X-AspNetMvc-Version

In your Global.asax.cs you can add the following to your Application_Start method:
protected void Application_Start(object sender, EventArgs e)
{
    MvcHandler.DisableMvcResponseHeader = true;
    // RegisterRoutes etc... and other stuff
}

X-Powered-By

Instead of removing this I have decided to change it to something different so as not to cause suspicion to a potential hacker:
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By"/>
      <add name="X-Powered-By" value="PHP 5.2 Ubuntu"/>
    </customHeaders>
  </httpProtocol>
  <!-- other stuff -->
</system.webServer>

Server

This one is harder since you can't actually do it anywhere else. Of course you could have changed all the other Headers here too but it feels messy doing it this way so I opted to change the others using the intended way.

First, make an HttpModule (essentially a class inheriting from IHttpModule) like this:
namespace HttpModules
{
    public class SecurityModule : IHttpModule
    {
        public void Dispose()
        {
            //intentionally do nothing
        }

        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);
        }

        private void context_PreSendRequestHeaders(object sender, EventArgs e)
        {
            var context = ((HttpApplication)sender).Context;
            context.Response.Headers.Set("Server", "Apache 2.0");
        }
    }
}
Note: I have gone for lying about the server over removing it (which is also possible) since I'd rather fool hackers than annoy them.

Next you just need to register that module in your web.config:
<system.webServer>
  <modules>
    <add name="SecurityModule" type="HttpModules.SecurityModule, HttpModules" />
  </modules>
</system.webServer>

Now use Fiddler to have a look at your Response Headers. Hopefully wonderfully deceptive like this:

If you have more to remove/change you can do it in much the same way as X-Powered-By (using web.config) or if not the Server one (using the Security HttpModule).

Follow britishdev on Twitter

Posted by Colin Farr at Thursday, August 12, 2010 Labels: , , ,

12 comments:

  1. SLORider29 April 2011 at 17:08

    Good info about getting rid of these headers--especially the MVC header. I have decided that sending faked headers ("Apache 2.0") is unproductive. There are plenty of other hints for anyone knowledgeable to figure out you are running IIS/ASP.NET. The best reason to alter headers is to simple eliminate wasted bandwidth by removing them. IIS is very solid and I find no real reason to masquerade it.

    ReplyDelete
    Replies
    1. for ict 9917 September 2020 at 19:56

      Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. Colin Farr3 May 2011 at 14:22

    Yeah, you're probably right that pretending to be something else wouldn't fool anyone (but would fool any robots that are string matching these headers).

    I've since changed them to remove the server name, give a brief description of the tech stack AND there's even a job ad in there too for such advanced devs ;) http://www.lovemoney.com

    ReplyDelete
  3. sandeep Chaurasia9 December 2011 at 09:42

    not working in IIS-6

    ReplyDelete
  4. Anonymous18 June 2012 at 20:42

    The security conscious developer knows that security through obfuscation isn't security, and instead they should keep IIS patched up regularly with Windows Update. ;)

    ReplyDelete
  5. Anonymous17 January 2013 at 13:45

    http://www.iis.net/learn/extensions/url-rewrite-module/modifying-http-response-headers

    ReplyDelete
  6. Unknown26 November 2016 at 10:39


    Thanks for posting this useful content, Good to know about new things here, Let me share this, . Hadoop training in pune

    ReplyDelete
  7. Brave Technologies4 April 2017 at 09:51

    Nice article , Thanks for sharing and keep sharing.
    erp in chennai | erp software providers in chennai

    ReplyDelete
  8. Unknown6 April 2017 at 06:53

    Very helpful post.Thanks for your information! Keep sharing.
    erp software in chennai | erp providers in chennai | online events registration

    ReplyDelete
  9. ALINAAMEL18 December 2017 at 11:33

    nformative and impressive. Keep Updating
    Programmierung in Lüdenscheid

    ReplyDelete
  10. brunagari9 June 2018 at 07:57

    really good
    Jobvermittlung

    ReplyDelete
  11. Katy18 August 2018 at 10:23

    Very useful information and thanks for sharing. Call Of Mini: Zombies Mod Apk

    ReplyDelete

Subscribe to: Post Comments (Atom)