Remove HTTP Respond header in IIS 7.5 or Windows Azure
Respond header excessive info: Server: Microsoft-IIS/7.5, X-AspNet: Mvc-Version 5.2., X-AspNet-Version: 4.0.303319, X-Powered-By: ASP.NET
This solution below seem to be the best solution for me without vulnerable problem with IIS. This solution don’t need URL Scan 3.1 Extention, so you can apply for Azure or some system can config the IIS server.
1. Removing X-AspNet-Version
In web.config add
<system.web> <httpRuntime enableVersionHeader=”false” />
…
2. Removing X-AspNetMvc-Version
In Global.asax.cs add
protected void Application_Start() { MvcHandler.DisableMvcResponseHeader = true;
}
3. Removing or changing X-Powered-By
In web.config add
<configuration> <system.webServer> <httpProtocol> <customHeaders> <remove name=”X-Powered-By” /> <add name=”X-Powered-By” value=”Phat Nguyen” /> </customHeaders> </httpProtocol> </system.webServer>
</configuration>
4. Removing or changing Server
Require URL Rewirte of IIS: http://www.iis.net/downloads/microsoft/url-rewrite and add an serverVariable=”RESPONSE_SERVER”
Use outbound rewrite url in web.config
<configuration> <system.webServer> <rewrite> <outboundRules> <rule name=”Edit Server respond header”> <match serverVariable=”RESPONSE_Server” pattern=”.+” /> <action type=”Rewrite” value=”My Server” /> </rule> </outboundRules> </rewrite> </system.webServer>
</configuration>
