Coding adventures with Happy results

Don’t let your response headers reveal server information

Monday, March 30, 2020 | 1:49:32 PM | C#


When comes to security along with the implementation, it is necessary to hide the additional information that will reveal server information and software version about our infrastructure. This allows us to minimize the vulnerable attacks against software that is known to contain security holes.

When you typically create a new IIS application the responses, contain the header Server with value Microsoft-IIS/10.0 or the X-Powered-By. Creating a .Net Full framework or a .Net core application and examining the response of the default page using postman or browser developer tools, we can immediately spot the problem.

 

It is obvious that we are using an IIS with version 10, so the attacker has already some information about our infrastructure.

Handling The Headers - .NetFullWe can easily handle these headers by modify web.config and adding removeServerHeader parameter

 

  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <handlers>
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler"
        preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer>

 

Handling The Headers - .Net Core 2-3

Using Hosting Model Out-Of-Process we can configure the Kestrel in the Program.cs file and modify the IHostBuilder CreateHostBuilder so that contains the AddServerHeader. Set it to false

Information about the Out-Of-Process hosting model can be found here

 public class Program
    {
        public static void Main(string[] args)
        {
            CreateHostBuilder(args).Build().Run();
        }

        public static IHostBuilder CreateHostBuilder(string[] args) =>

             Host.CreateDefaultBuilder(args)

                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.ConfigureKestrel(options =>
                    {
                        options.AddServerHeader = false;
                    });
                    webBuilder.UseStartup<Startup>();
                });
    }

The Results

 

Until next time,

Happy Coding!