User-960459514 posted
Hi All,
There are many posts on this on google, but none that answer the problem that I have.
I have 20 web apps hosted in azure. 10 of them are on one IP address and 10 are on another IP address. Both servers/ip address are a mixture of web jobs and websites.
2 of the apps, are systems that do do credit card processing so therefore i have to run PCI Scans on the IP address or I could put in a domain name, i am not sure if it yields different results.
Once I do the scan on the IP address I get the following result "The remote web server discloses information via HTTP headers.". All the posts on the internet suggest to update the web.config with a few different values. This is fine and
i havhe done this, but the problem persists.
My questions are the following.
- I assume i have to update all web apps with the necessary web.config entries. Is this correct?
- Can you help me understand how the scanner finds the lists of domain names using that IP address? Becaue without the domain names they would just have the IP address, and the web.config would then not matter as the website would not execute without the
domain name. Or do i understand incorrectly?
- Finally, and the most important. Can I block http headers at the level of the azure web app. So that i dont have go through and update all the web apps on the same server. Is there a setting in the azure portal that allows me to do this? This really would
be the solution that I am looking for.
Here are the headers that i need to remove
Server type : Microsoft IIS
Server version : 10.0
Source : Microsoft-IIS/10.0
Any help would be greatly appreciated.
Thank You
David
