Closed blairlearn closed 3 years ago
The X-Powered-By
header can be easily removed.
However, prior to v10, IIS does not allow the Server
header to be removed, only rewritten. If Kestrel sets one, that's used. And in the odd situation where Kestrel sets a header, but encounters an error (e.g. no such route), IIS will provide its own, ignoring the rewrite rule.
The approach therefore needs to be to rewrite the Server
header in IIS and don't set one in Kestrel at all.
There is a secondary issue where the overall server still returns these headers, outside the paths controlled by the API. This will need to be addressed separately.
Closed by d98ea2539069d90abf7209ba10f66330d62dbeca
Issue description
IIS likes to "advertise" itself via the "Server" and "X-Powered-By" headers. This becomes a security concern, particularly when the "Server" header contains a version number.
Steps to reproduce the issue
What's the expected result?
Server
header's value should not contain the IIS version number.X-Powered-By
header should not exist.What's the actual result?
Server
header contains the IIS version number.X-Powered-By
header should not exist.Additional details / screenshot