NCIOCPL / cgov-digital-platform-dynamic-services

Legacy CDE Services
1 stars 2 forks source link

Strip version disclosures from response headers #32

Open jfrank-nih opened 2 years ago

jfrank-nih commented 2 years ago

Response headers for certain pages contain information about the IIS and ASP.NET versions used. NCI recommendations are to suppress version information in responses.

Issue

URL: https://www-test-acsf.cancer.gov/Common/PopUps/popHelp.html Response Headers: server contains the IIS version

URL: https://www-test-acsf.cancer.gov/Common/PopUps/popDefinition.aspx?id=CDR0000045849&language=English&version=Patient Response Headers: server contains the IIS version and x-aspnet-version contains software version

Remedy

Remove the offending headers.

jfrank-nih commented 2 years ago

@blairlearn, we could bug the hosting team, or... everything passes through Akamai from the origin, correct? In which case we could strip out headers there.

blairlearn commented 2 years ago

Unfortunately, prior to IIS 10, there's no ability to remove the server header. Possibly the x-aspnet-version header.

jfrank-nih commented 2 years ago

Fair enough. But could we remove with Akamai?

blairlearn commented 2 years ago

No, this isn't a problem in CGDP, it shows up there because of how things are mapped through Akamai. The correct fix is to address it in dynamic services. (Which is where I'll be moving this ticket momentarily.)