Remove sensitive IIS headers

blairlearn commented 3 years ago

Issue description

IIS likes to "advertise" itself via the "Server" and "X-Powered-By" headers. This becomes a security concern, particularly when the "Server" header contains a version number.

ESTIMATE TBD

Steps to reproduce the issue

Open the browser's developer tools to the network tab.
Browse to a non-existent url in the API directory structure e.g. https://webapis.cancer.gov/triallistingsupport/v1/%2522ns%253D%2522netsparker%25280x0084D8%2529
In the developer tools, click on the request

What's the expected result?

The Server header's value should not contain the IIS version number.
The X-Powered-By header should not exist.

What's the actual result?

The Server header contains the IIS version number.
The X-Powered-By header should not exist.

Additional details / screenshot

blairl-nih commented 3 years ago

The X-Powered-By header can be easily removed.

However, prior to v10, IIS does not allow the Server header to be removed, only rewritten. If Kestrel sets one, that's used. And in the odd situation where Kestrel sets a header, but encounters an error (e.g. no such route), IIS will provide its own, ignoring the rewrite rule.

The approach therefore needs to be to rewrite the Server header in IIS and don't set one in Kestrel at all.

blairl-nih commented 3 years ago

There is a secondary issue where the overall server still returns these headers, outside the paths controlled by the API. This will need to be addressed separately.

blairlearn commented 3 years ago

Closed by d98ea2539069d90abf7209ba10f66330d62dbeca

NCIOCPL / clinical-trials-listing-api