Hardening ASP.NET Response Headers (Code)
A reliable way to harden your ASP.NET web application is to remove and skew the response headers via code. This will throw off automated scans that are performing banner grabbing in an attempt to identify vulnerabilities. There are ways to do this in IIS, however, performing this in code means it’s applied everywhere that the code is deployed. This may include UAT servers in the DMZ that could be exposed to external threats.
I learned this technique in an enterprise environment.
Setup
ASP.NET Web Application (.NET Framework 4.5.2)
Global.asax
1 2 3 4 5 6 7 |
protected void Application_PreSendRequestHeaders() { Response.Headers.Set("Server", "FooServer"); Response.Headers.Remove("X-AspNet-Version"); Response.Headers.Set("X-Powered-By", ""); Response.Headers.Remove("X-SourceFiles"); } |
Http Module
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
public class HardeningHttpModule : IHttpModule { public void Init(HttpApplication context) { context.PreSendRequestHeaders += OnPreSendRequestHeaders; } public void Dispose() { } void OnPreSendRequestHeaders(object sender, EventArgs e) { if (HttpContext.Current != null) { HttpContext.Current.Response.Headers.Set("Server", "FooServer"); } } } |
web.config
1 2 3 4 |
<system.webServer> <modules> <add name="HardeningHttpModule" type="WebApplication4.Modules.HardeningHttpModule" /> </modules> |
Verifying
