Remove ‘Server’ and ‘X-Powered-By’ headers from your Azure Mobile Apps

  • Article

Knowing the server type and what it is running can be information that an attacker may leverage.  This article explains how you can remove the subject headers.

Azure Mobile Apps are really Azure Web Apps.  You can configure the headers by altering the Web.Config just like you would with a standard ASP.Net application!

Problem

Here is an example of the headers returned from a simple Azure Mobile App (replace contosomobileapp with the name of your Mobile app):

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 422
Content-Type: application/json; charset=utf-8
Expires: 0
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Set-Cookie: ARRAffinity=df41f72d5dafaca237feeeb4df546bb62b24197ead56d3e53c2496c1f90fe094;Path=/;Domain=contosomobileapp.azurewebsites.net
Date: Wed, 07 Oct 2015 13:13:57 GMT

Solution

Open the site Web.Config in your Visual Studio project and find the <system.webServer > section

snip_20151007093103

Add these two sections inside this section:

Copy Code:

     <security>
      <requestFiltering removeServerHeader ="true"></requestFiltering>
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By"/>
      </customHeaders>
    </httpProtocol>

So the final Web.Config section will look something like this:

snip_20151007095619

(you can ignore the squiggle under removeServerHeader)

Now right mouse click on the Web.Config in your Solution Explorer view and choose publish:

Untitled

Result

The headers are removed:

HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 422

Content-Type: application/json; charset=utf-8

Expires: 0

Set-Cookie: ARRAffinity=df41f72d5dafaca237feeeb4df546bb62b24197ead56d3e53c2496c1f90fe094;Path=/;Domain=contosomobileapp.azurewebsites.net

Date: Wed, 07 Oct 2015 13:19:07 GMT

 

Conclusion

As you can see Azure Mobile Apps are really Azure Web Sites with some additional code to access and present data.  You can easily configure your Azure Mobile App using the Web.Config like you would for an ASP.Net app deployed on Azure Web Sites.

Let me know if this was a help to you!  Also see this post:

https://blogs.msdn.microsoft.com/jpsanders/2016/09/20/how-to-deny-http-methods-or-verbs-in-azure-web-apps/

 

Ref: https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/