Jump to content

Removing identifying information from the HTTP response headers.


khadem1386
 Share

Recommended Posts

My site is based on ASP3I get some notice about security of my site:--Information Leakage--discriptions:Your site, web server discloses version numbers and architecture information within the HTTP response headers.So The following HTTP Headers are attached to every HTTP response from the your site application. This information helps an attacker profile the application architecture of your site and may point towards existing vulnerabilities.Server: Microsoft-IIS/6.0X-Powered-By: ASP.NETand you must :Remove identifying information from the HTTP response headers.Is there any code in asp3 to manage number and type of my HTTP response headers?or this matter set only By IIS.I am using a shared server.Thank you very much for your help

Link to comment
Share on other sites

Those are settings on the server and ASP. You can't write code to stop the server from sending headers, you can only tell it to send them. You may be able to overwrite those headers with other values, and if you do that the server may see you sending headers with the same name and will use your headers instead of sending its own.

Link to comment
Share on other sites

You may be able to overwrite those headers with other values
could you please write some code as example? is it true?
Response.AddHeader "AUTH_PASSWORD","XXX"

What headers are important to avoid of hacking. and improveing security?

and if you do that the server may see you sending headers
in the other hand you use "MAY" in your sentences.is it your meaning "Perhaps" and "may be"?Did you try it before?And what about if I could use asp.net?Thank you very much Edited by khadem1386
Link to comment
Share on other sites

Have ASP send headers called Server and X-Powered-By, and set them to some nonsense value. The server may see that you've sent those headers, and it won't replace them with its own. I say it "may" because I haven't tried that with ASP or ASP.NET, so I don't know how the server will behave. As long as you're not sending any sensitive information in headers they don't matter in terms of hacking and security.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...