"Addressing Server Exposure in Azure Web App: Concealing Details in DAST Reports

A Aathithya 30 Reputation points
2024-04-29T02:57:04.02+00:00

Hi, we have deployed our Python (Flask) based application on Azure Web App(Linux based). During the DAST report, it was highlighted that server details are exposed. We attempted to address this issue by modifying the Flask code, but it didn't work. Additionally, we lack control over the server. Is there a way to hide or remove the server name and details within the Azure portal?.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,042 questions
{count} votes

3 answers

Sort by: Most helpful
  1. ajkuma 22,851 Reputation points Microsoft Employee
    2024-04-29T06:01:56.0766667+00:00

    @A Aathithya , Based on my understanding of your issue descripition, on App Service when you perform any security testing, the result response is received from the frontends and never arrive to the actual worker (for example, invalid request). Currently, if your requirement fits, you can App Gateway/WAF similar proxy in front and strip out the response header there. If it’s an enterprise app, it’s a good practice to have the WAF either way.

    Please check this doc - Common scenarios for header rewrite

    We have a UserVoice post on a similar request, ‘remove server header from the front end servers’ - you may wish to up-vote.

    Kindly let me know how it goes, or share more details about your requirement.

    0 comments No comments

  2. A Aathithya 30 Reputation points
    2024-05-03T10:36:10.1733333+00:00

    We have resolved the issue by following these steps: Created a 'config.py' file with the following lines: 'import gunicorn' and 'gunicorn.SERVER = "undisclosed"'. Additionally, specified this as the application startup command: 'gunicorn --config python:config.py app:app'.


  3. ajkuma 22,851 Reputation points Microsoft Employee
    2024-05-03T18:21:26.2133333+00:00

    To benefit the community, summarizing the solution shared by @A Aathithya

    Requirement:
    Hide or remove server details exposed on Azure App Service WebApp.

    Scenario:
    After deploying our Python (Flask) based application on Azure Web App (Linux based), DAST report highlighted the exposure of server details.

    Despite attempting to address the issue by modifying the Flask code, the resolution was unsuccessful.

    (Posting the solution shared by @A Aathithya )

    Resolved: The issue has been successfully resolved through the following steps:

    • Created a 'config.py' file with the following lines: 'import gunicorn' and 'gunicorn.SERVER = "undisclosed"'.
    • Specified this file as the application startup command: 'gunicorn --config python:config.py app:app'.

    If the answer helped (pointed you in the right direction) > please click Accept Answer

    0 comments No comments