locked
Azure App Services Remove Information From HTTP headers RRS feed

  • Question

  • User-960459514 posted

    Hi All,

    There are many posts on this on google, but none that answer the problem that I have.

    I have 20 web apps hosted in azure. 10 of them are on one IP address and 10 are on another IP address. Both servers/ip address are a mixture of web jobs and websites.

    2 of the apps, are systems that do do credit card processing so therefore i have to run PCI Scans on the IP address or I could put in a domain name, i am not sure if it yields different results.

    Once I do the scan on the IP address I get the following result "The remote web server discloses information via HTTP headers.". All the posts on the internet suggest to update the web.config with a few different values. This is fine and i havhe done this, but the problem persists.

    My questions are the following.

    1. I assume i have to update all web apps with the necessary web.config entries. Is this correct? 
    2. Can you help me understand how the scanner finds the lists of domain names using that IP address? Becaue without the domain names they would just have the IP address, and the web.config would then not matter as the website would not execute without the domain name. Or do i understand incorrectly?
    3. Finally, and the most important. Can I block http headers at the level of the azure web app. So that i dont have go through and update all the web apps on the same server. Is there a setting in the azure portal that allows me to do this? This really would be the solution that I am looking for.

    Here are the headers that i need to remove

    Server type : Microsoft IIS
    Server version : 10.0
    Source : Microsoft-IIS/10.0

    Any help would be greatly appreciated.

    Thank You

    David

    Thursday, October 11, 2018 3:47 PM

All replies

  • User283571144 posted

    Hi dbrosnan,

    I assume i have to update all web apps with the necessary web.config entries. Is this correct? 

    As far as I know, if you want to remove the response heaeder, you should modify each web app's web config and modify the Global.asax codes.

    Details about how to remove the response header you could refer to below article:

    https://www.saotn.org/remove-iis-server-version-http-response-header/ 

    Can you help me understand how the scanner finds the lists of domain names using that IP address? Becaue without the domain names they would just have the IP address, and the web.config would then not matter as the website would not execute without the domain name. Or do i understand incorrectly?

    As far as I know, there are multiple tools which could help us find the information related with that IP. Like:https://ipinfo.info/html/ip_checker.php 

    Finally, and the most important. Can I block http headers at the level of the azure web app. So that i dont have go through and update all the web apps on the same server. Is there a setting in the azure portal that allows me to do this? This really would be the solution that I am looking for.

    As far as I know, there are no settings in the azure web app portal which could modify the response header.

    Best Regards,

    Brando

    Friday, October 12, 2018 7:34 AM