Open jfrank-nih opened 2 years ago
@blairlearn, we could bug the hosting team, or... everything passes through Akamai from the origin, correct? In which case we could strip out headers there.
Unfortunately, prior to IIS 10, there's no ability to remove the server header. Possibly the x-aspnet-version header.
Fair enough. But could we remove with Akamai?
No, this isn't a problem in CGDP, it shows up there because of how things are mapped through Akamai. The correct fix is to address it in dynamic services. (Which is where I'll be moving this ticket momentarily.)
Response headers for certain pages contain information about the IIS and ASP.NET versions used. NCI recommendations are to suppress version information in responses.
Issue
URL:
https://www-test-acsf.cancer.gov/Common/PopUps/popHelp.html
Response Headers:server
contains the IIS versionURL:
https://www-test-acsf.cancer.gov/Common/PopUps/popDefinition.aspx?id=CDR0000045849&language=English&version=Patient
Response Headers:server
contains the IIS version andx-aspnet-version
contains software versionRemedy
Remove the offending headers.