Categories
asp.net c# http-headers iis security

Removing Server header from static content in IIS 7/8

As part of an effort to make our API and site more secure, I’m removing headers that leak information about what the site is running.

Example before stripping headers:

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687

Web.config:

<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>

Global.asax.cs:

protected void Application_PreSendRequestHeaders() {
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
Response.AddHeader("Strict-Transport-Security", "max-age=300");
Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
}

And after that, all calls to the site and API return safer headers, like so:

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687

So far, so good. However, I’ve noticed in Firebug that if you look at static content (loading.gif, for example), it still includes the server header.

HTTP/1.1 304 Not Modified
Cache-Control: no-cache
Accept-Ranges: bytes
Etag: "a3f2a35bdf45ce1:0"
Server: Microsoft-IIS/8.0
Date: Tue, 25 Jun 2013 18:33:16 GMT

I’m assuming this is being handled by IIS somehow, but can’t find anywhere to remove that header. I’ve tried adding:

<remove name="Server" /> 

to the httpProtocol/customHeaders section in Web.config, as mentioned above. I’ve also tried going into the IIS Manager’s HTTP Response Headers section and adding a fake name/value pair for the Server header. In both cases, it still returns

Server: Microsoft-IIS/8.0

when loading any images, CSS, or JS. Where/what do I need to set something to fix this?

You should be able to force all requests to go through your managed code by adding this to your webconfig:

<modules runAllManagedModulesForAllRequests="true">

Then, even static files should adhere to your header rules.