Remove IIS 10 Server Header which discloses IIS version

[ebicoglu]

The assessed web server discloses its version number within the HTTP response headers. This information facilitates attackers in planning future attacks and can be used in the automation of the attack process. It is unnecessary to share this information with the clients of the web application.

The vulnerability can be verified by issuing HTTP requests and inspecting HTTP response headers. HTTP header "Server" contains the version information. The following header can be received in server responses:

Server: Microsoft-IIS/10.0

or

Server: Microsoft-HTTPAPI/2.0

---

Explanation:

This is not directly related to ABP Framework. It's a header added by the IIS server. So you can disable this header with the web.configfile:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering removeServerHeader="true" />
        </security>
    </system.webServer>
</configuration>

or

Using URLScan (ISAPI filter), which provides web server administrators additional configuration options to secure the server. To mask IIS web server 's version RemoveServerHeader configuration option must be set to 1 or True in the Urlscan.ini file. With IIS 10.0, the server header can be masked with a URL rewrite rule to strip the version information from the header. To illustrate, following the outbound rule would change the value of the server header to ***Masked***":

<rewrite>
    <outboundRules>
        <rule name="changeServerHeader">
            <match serverVariable="RESPONSE_Server" pattern=".*" />
            <action type="Rewrite" value="***Masked***" />
        </rule>
    </outboundRules>
</rewrite>