Question

I have to remove the excessive headers in order to pass the penetration testing. I have checked different solutions which involves running UrlScan, which inturn are tideous as UrlScan needs to be installed every time an Azure instance is run!

Can anyone assure me about any way that exists without having to deploy installers from startup.cmd.

I know that response headers are added at different places:

• Server: added by IIS.
• X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
• X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll.
• X-Powered-By: added by IIS

Is there any way to configure (via web.config etc.?) IIS7 to remove/hide/disable the HTTP response headers to avoid the "Excessive Headers" warning at asafaweb.com, without creating an IIS module or deploying installers which need to be run each time an Azure instance starts?

Answer 1

MSDN published an article on how to hide headers on Azure Websites. You can now hide the server from web.config by adding an entry to system.webServer :

<security>
      <requestFiltering removeServerHeader ="true" />
</security>

VS will frown at the above as invalid though. The above link has code as pics, hard to find. MVC version is still hidden in application start as above, same for x-powered-by and .Net version.