Web applications use headers to send and receive important information from the client machine to the server.  Here is an example of what some of the headers are:

ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
ACCEPT_ENCODING gzip, deflate, sdch, br
ACCEPT_LANGUAGE en-US,en;q=0.8
CONNECTION keep-alive
HOST www.fahadjameel.com
REFERER https://www.google.com/
UPGRADE_INSECURE_REQUESTS 1
USER_AGENT Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

As you can see, this information gives information about the client machine, connection options as well as some other basic information. These headers are fine as long as they do not give any information about our server. Here are some examples of headers with server information.

SERVER Microsoft-IIS/10.0
X-POWERED-BY ASP.NET
X-ASPNET-VERSION 2.0.50727
X-ASPNETMVC-VERSION 1.0

This information can be very helpful for an attacker. By knowing what technology and versions we are using the attacker can easily find online if a vulnerability exist. Unfortunately showing these headers is the default setting for asp.net, but fortunately it can easily be removed.

Removing X-ASPNET-VERSION:

Add this to the web.config.

<system.web>
   <httpRuntime enableVersionHeader=\"false\" />
</system.web>

Removing X-ASPNETMVC-VERSION:

In the Global.asax file add this line in the Application_Start method.

MvcHandler.DisableMvcResponseHeader = true;

Removing X-POWERED-BY:

This header can easily be removed from iis.

  1. Select the website in which you want to remove the header.
  2. Under the IIS grouping select HTTP Response Headers
  3. You will see the X-Powered-By header there. You can remove it from the right side.

Removing Server:

One of the easiest way to handle this is to create your own custom server header, this will overwrite the existing server header.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
using System;
using System.Web;

namespace TestApp.Data
{
    public class CustomServerHeaderModule : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += OnPreSendRequestHeaders;
        }

        void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
            HttpContext.Current.Response.Headers.Set("Server", "MY Server");
        }

        public void Dispose()
        { }
    }
}

I have created a class named CustomServerHeaderModule in my Data folder. Now in the web.config I can add:

1
2
3
4
5
<system.webServer>
  <modules>
    <add name="CustomServerHeader" type="TestApp.Data.CustomServerHeaderModule, TestApp" />
  </modules>
</system.webServer>

That's all to it. now you won't need to worry about your website's headers having any important information about your server.