removeServerHeader" attribute set to false in web.config
shouldn't it be set to true if you don't want to send Server header?
We host some of our .Net web apps in an Azure Web App on a shared plan. A security audit showed that in certain cases the HTTP Server header is returned, identifying the server running "Microsoft-IIS/10.0". We are already using the "removeServerHeader" attribute set to “true” in web.config. Also we are using the customHeaders remove elements to remove certain headers. So in most cases no Server header gets sent.
However, there is a specific case where the Server header is sent: when requesting it using a HTTP 1.0 request. When I open a Telnet connection to port 80 of my web app and send the following GET request:
GET / HTTP/1.0
I get the following response:
HTTP/1.1 404 Not Found
Date: Tue, 06 Oct 2020 13:47:22 GMT
Can this be prevented?