Skip to content

Instantly share code, notes, and snippets.

@devenes
Forked from nordineb/README.md
Last active March 24, 2023 22:25
Show Gist options
  • Save devenes/42701af2c05a4e5ffc0a2d723200bc88 to your computer and use it in GitHub Desktop.
Save devenes/42701af2c05a4e5ffc0a2d723200bc88 to your computer and use it in GitHub Desktop.
Hide HTTP Headers - Fingerprinting Web Server

Checking HTTP headers with CURL

curl -I -L https://hostname

Remove ASP.Net MVC Default HTTP Headers

Global.asax.cs

protected void Application_Start()
   2:  {
   3:      ...
   4:      MvcHandler.DisableMvcResponseHeader = true;
   5:      ...
   6:  }

web.config

<system.web>
   2:      ...
   3:      <httpRuntime enableVersionHeader="false" />
   4:      ...
   5:  </system.web>

web.config

<system.webServer>
   2:      ...
   3:      <httpProtocol>
   4:          <customHeaders>
   5:              <remove name="X-Powered-By" />
		   <remove name="X-AspNetMvc-Version"/>
   6:          </customHeaders>
   7:      </httpProtocol>
   8:      ...
   9:  </system.webServer>

Powershell

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"

Import-Module WebAdministration
Clear-WebConfiguration "/system.webServer/httpProtocol/customHeaders/add[@name='X-Powered-By']"

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  -Name DisableServerHeader -PropertyType DWord -Value 1 -Force

 C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site" /section:system.webServer/security/requestFiltering /removeServerHeader:True

Azure only

<system.webServer>
    <security>
        <requestFiltering removeServerHeader="true">
        </requestFiltering>
    </security>
</system.webServer>

Blank server header:

<rewrite>    
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_Server" pattern=".+" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>

You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.

protected void Application_BeginRequest(object sender, EventArgs e)
{
  var application = sender as HttpApplication;
  if (application != null && application.Context != null)
  {
    application.Context.Response.Headers.Remove("Server");
  }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment