Enterprise Application Security Header

Matthew Riddler 21 Reputation points
2020-07-13T15:57:59.877+00:00

Hello,

I am not too sure where to ask this question as I cannot find a forum for enterprise applications.

We have had a pen test done on one of our Azure Enterprise applications & have a question about security headers.
At an application level we have removed the server header from the website. This works fine internally, but when accessed via azure the Server header shows as
Microsoft-HTTPAPI/2.0

Is there a way to remove this, as part of the enterprise application.
or do I need an application gateway to be able to change this?

Thanks
Matt

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,854 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,436 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Krish G 2,326 Reputation points
    2020-07-13T17:31:15.577+00:00

    Hello @MatthewRiddler-9775 , I assume your question is pertaining to your app deployed in Azure Web App. Please let me know if it's not the case. Assuming that is the case, please try one of the below depending on your configuration.

    For Kestrel (In case your app is asp.net core and wired up for kestrel): Try setting Kestrel options like below snippet in Program.cs. The Kestrel Server header gets added too late in the request pipeline. Therefore removing it via the web.config or via middleware is not possible. Note: Below I used UseKestrel instead of ConfigureKestrel.

     public static IHostBuilder CreateHostBuilder(string[] args) =>
          Host.CreateDefaultBuilder(args)
              .ConfigureWebHostDefaults(webBuilder =>
              {
                  webBuilder.UseStartup<Startup>();
                  webBuilder.UseKestrel(options => options.AddServerHeader = false)
              });

    For IIS integrated mode: You need to set in web.config like below:

     <configuration> 
    <system.webServer>
      <security>
        <requestFiltering removeServerHeader="true" />
      </security>
      <httpProtocol>
        <customHeaders>
          <remove name="X-Powered-By" />
        </customHeaders>
      </httpProtocol>
    </system.webServer>
  </configuration>
    0 comments
  2. Matthew Riddler 21 Reputation points
    2020-07-13T22:35:59.743+00:00

    Hello,

    @KrishnenduGhosh-MSFT

    Not a web app that I am aware of.
    It is an Enterprise application (under Azure Active Directory). Just presenting an internal applicattion through Azure.
    The web server that is hosting this is not IIS, so the header cannot be coming from there.
    I doubt it is coming from the ADFS server (where I believe the cipher suite comes from), as there is no IIS running on that server.

    I have had a look at Web app & it definitely is not one of those.
    Thanks,
    Matt