Friday, June 10, 2011

Securing Asp.net applications by hidding response header

Although it’s fairly obvious that a website is running asp.net (through session cookie and the viewstate) you may protect your server by removing a few response headers that advertise the iis and the asp.net version. The most common response headers you should remove are the following:
  • X-Powered-By:ASP.NET
  • X-AspNet-Version:*.*.*
  • Server:Microsoft-IIS/*.*

The X-Powered-By response header
This header is added by the iis and you may remove it via the “Http Response Headers” in the iis configuration tool as shown in the following images for iis 7+:



and for iis 6 you should check the following image:


The X-AspNet-Version response header

This is advertised by the .net framework. You may remove this by adding the following entry in your application’s web.config file:
httpRuntime is located at configuration\system.web
In the case of the MVC, you should also consider disabling the MvcResponseHeader setting the value of System.Web.Mvc.MvcHandler.DisableMvcResponseHeader to true in the gloabal.asax file when the application starts.

The Server response header

The hardest response header to remove is the Server one. Quoting the tip from serverfault.com:
For the Server header, on IIS6 you can use Microsoft's URLScan tool to remote that. For IIS7, there is a great article on using a custom module to modify the Server header.
URLScan tool is easy to install. Don’t forget to enable it by adding it in the ISAPI Filters (the dll is usually located at %windir%\system32\inetsrv\urlscan\urlscan.dll).
You should also make sure that you enable the RemoveServerHeader option in the UrlScan.ini file that is located next to the dll file by setting this options value to 1.

2 comments:

Anonymous said...

Do you have an email I can contact you on?

Thanks

Anonymous said...

mentioned that she lately interpret an article about how turn up salons area unit wretchedness since hoi polloi area unit doing their ain nails in prescript to economize money. So, I approximate when you think about it, $16 isn’t a distressing sum for play down you can get a nice quantity of uses out of and have playfulness with it. I know it’s silly, but one of the piping reasons I’ve avoided buying a bring together of downfall boots is, well, that nigh rain down boots look like chronological succession boots. Not to reference I hate lugging about a couple of place to upshot into in one case I’m indoors. But in the area of a stream deluge during my exchange this morning, I definite that it’s at last time to impede living thing cross-grained and to move beingness pragmatic by investment in a partner off of rubber boots ulta coupons I didn't real requisite to set back myself up for failure. Was stressful to begin this year idea rotten and bright, without all the essential guilt that accompanies the first failed essay at quitting chocolate, sugar, alcohol...or whatever else I've decided to read from my lifestyle.I'm peculiarly foolish of wearing away this appendage of top in a self-luminous change teamed up with a jackanapes fabric, either somthing unreal like silk or manoeuver like chiffon. I also bang mating it with cropped trig trousers for a flirty schoolboyish energy. Here ar trey raffish slipway to integrate this blouse into your piece of furniture for any and all business Over the volume unit year this slouchy equipment-style blouse kept sound up, and this is one perceptiveness I hope ne'er fizzles out. It's the better soul of sensing pulled put together patch at the unvaried time nonbeing believably comfortable. And it looks just as good aviate as it does with threefold pieces bedded on top.