ASP.Net Web Api Security : Remove Generated Http Response Headers

IIS and some of the constructs in ASP.Net love to let the populace know that you are utilizing IIS and what flavor of ASP.Net or MVC you are using. 

This can be great when debugging payloads and you know what the partner has as infrastructure but for an attacker it is an excellent way to reflect your landscape.

Let’s see what a standard payload looks like.

Start with creating a stand web app.

Select Web API and follow the same indices as illustrated.

Run the application to ensure it compiles and renders.

Start up a proxy of your choice , here we are using Telerik Fiddler.

 

Note, 

  1. Server
  2. X-AspNetMvc-Version
  3. X-AspNet-Version
  4. X-Powered-By

To remove these headers (from http://stackoverflow.com/questions/12803972/removing-hiding-disabling-excessive-http-response-headers-in-azure-iis7-without):

 You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        var application = sender as HttpApplication;
        if (application != null && application.Context != null)
        {
            application.Context.Response.Headers.Remove("Server");
        }
    }

To remove X-AspNet-Version, in the web.config find/create <system.web> and add:

  <system.web>
    <httpRuntime enableVersionHeader="false" />

    ...

To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:

  protected void Application_Start()
  {
      MvcHandler.DisableMvcResponseHeader = true;
  }

To remove X-Powered-By, in the web.config find/create <system.webServer> and add:

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>

    ...

Happy defending!