Troy Hunt talks about “Don’t let your response headers talk too loudly”
There are four headers that might leak information about the servers:
- Server: The web server software being run by the site. Typical examples include “Microsoft-IIS/7.5”, “nginx/1.0.11” and “Apache”.
Solution: The easiest way is to install urlScan. Find the “RemoveServerHeader” setting with its configuration file UrlScan.ini and configure it to be “1”.
- X-Powered-By: The collection (there can be multiple) of application frameworks being run by the site. Typical examples include: “ASP.NET”, “PHP/5.2.17” and “UrlRewriter.NET 2.0.0”.
Solution: Go to IIS configuration of the website and locate “HTTP Reponse Headers” item and remove “X-Powered-By”.
- X-AspNet-Version: Obviously an ASP.NET only header, typical examples include “2.0.50727”, “4.0.30319” and “1.1.4322”.
Solution: Modify web.config
<system.web>
<httpRuntime enableVersionHeader="false" />
system.web>
- X-AspNetMvc-Version: Again, you’ll only see this in the ASP.NET stack and typical examples include “3.0”, “2.0” and “1.0”.
Solution: In Global.asax and add this to handle Application_Start event
MvcHandler.DisableMvcResponseHeader = true;
Troy also adds this function into his http://asafaweb.com/
No comments:
Post a Comment