Azure WebApp remove 'Server' header for bad requests

2
votes

URLs like: yourDomain.com/%

throws error: 400 Bad Request

a)-This does not enters application request cycle, but is handled by HTTP.SYS and shows Server header as follows: Microsoft-HTTPAPI/2.0

b)-Also if you change the host address using burp interceptor then it throws 404 error with server header as follows: Microsoft-IIS/10.0

I have already checked following URLs: Removing Server and X-Powered-By HTTP Headers on Azure Web Site Preview

But following Azure ticket shows that AG allows removal of header from responses: https://feedback.azure.com/forums/217313-networking/suggestions/16487725-remove-server-framework-headers-from-application-g

But nowhere it is shown how to implement it so that 'Server' header can be removed when request does not fall in your application request cycle.

Same is the case with ticket: Remove sensitive Headers from Azure PaaS hosted Websites

Please note that the the application is hosted in Azure WebApp(not VM).

So in a nutshell, I want to hide/change the 'Server' header in the above 2 mentioned scenarios for app hosted in Azure WebApp.

2
azureiishttp-headersazure-web-app-service

2 Answers

1
votes

To remove the server header or powered by header in a Windows/IIS based Azure Web app you need to add a web.config with the following content:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>  
</configuration>

If you are using a Linux/Kestrel based you need to change the CreateHostBuilder in the Program.cs file to something like the following:

        public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder
                   .UseKestrel(options => options.AddServerHeader = false)
                   .UseStartup<Startup>();
            });
0
votes

There is no way to remove Server header on Azure Web App.

As a workaround, we can host our web application on IIS in VM instead of Azure Web App.

To achieve this, we can use Microsoft's official UrlScan tools, after searching, downloading and installing. There is a UrlScan.ini file in "C:\ Windows\ System32\ inetsrvurlscan" that needs to be opened with the administrator's privileges. My method is to go to the administrator's cmd, go to the directory, run the command Notepad UrlScan.ini and then we can edit it with a notepad. There is a Remove Server Header in it, set to 1, restart IIS and then it will take effect. Then visit the website and press F12 to find that Server is missing.

We can get UrlScan at UrlScan 3.1

About another sensitive header X-AspNet-Version, we can remove it by code if you are using ASP.NET FX MVC:

 protected void Application_Start()
 {
     //remove version info of ASP.NET(remove 'X-AspNet-Version' header)
     MvcHandler.DisableMvcResponseHeader = true;
     AreaRegistration.RegisterAllAreas();
     FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
     RouteConfig.RegisterRoutes(RouteTable.Routes);
     BundleConfig.RegisterBundles(BundleTable.Bundles);
 }