Quantcast
Channel: Security
Viewing all articles
Browse latest Browse all 1881

Removing http response headers

$
0
0

Hi

Yes, its yet another response-header thread Cool

I've been looking at removing all the normal http response headers, and so far i haven't found that one great way of doing it.

You all know them. asp.net version x-powered-by and server.. and so on.

Now i know there are a lot of guides out there, dealing with one or some of them, but always in different ways. But i have found any guides, that deal with all of them in the same way. The conclussion seems to be, that if i want to remove the narly ones like Server, i need a compiled module, or removing the header in my own application. Thats just fine for requests that make to it the .net part of the pipeline. But what if i get a 404 on a static file? Then my website code wont even run, making the whole thing sort of pointless.

I almost thought i had it, using the global outbound rules in URL rewrite. But that module doesn't remove the header, it "just" rewrites it.

Sadly the security companies scanning my sites, aren't satisfieds with that solution. So i need to come up with something else.

Many guides refer to URLscan, which doesn't seem supported by IIS 7.5 and 8.0, and the Request Filtering replacement doesnt seem able to manupulate with responses, only requests.

So, what am i missing? am i trapped in my google-filter-bubble? Is there a (MS supported) module that can do reponse header manipulation, and which allows me to do hit all the response-headers in one place?

Your input is greatly appreaciated :)

-Kasper


Viewing all articles
Browse latest Browse all 1881

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>