Jump to content

Removing identifying information from the HTTP response headers.


Recommended Posts

My site is based on ASP3I get some notice about security of my site:--Information Leakage--discriptions:Your site, web server discloses version numbers and architecture information within the HTTP response headers.So The following HTTP Headers are attached to every HTTP response from the your site application. This information helps an attacker profile the application architecture of your site and may point towards existing vulnerabilities.Server: Microsoft-IIS/6.0X-Powered-By: ASP.NETand you must :Remove identifying information from the HTTP response headers.Is there any code in asp3 to manage number and type of my HTTP response headers?or this matter set only By IIS.I am using a shared server.Thank you very much for your help

Link to post
Share on other sites

Those are settings on the server and ASP. You can't write code to stop the server from sending headers, you can only tell it to send them. You may be able to overwrite those headers with other values, and if you do that the server may see you sending headers with the same name and will use your headers instead of sending its own.

Link to post
Share on other sites
You may be able to overwrite those headers with other values
could you please write some code as example? is it true?
Response.AddHeader "AUTH_PASSWORD","XXX"

What headers are important to avoid of hacking. and improveing security?

and if you do that the server may see you sending headers
in the other hand you use "MAY" in your sentences.is it your meaning "Perhaps" and "may be"?Did you try it before?And what about if I could use asp.net?Thank you very much Edited by khadem1386
Link to post
Share on other sites

Have ASP send headers called Server and X-Powered-By, and set them to some nonsense value. The server may see that you've sent those headers, and it won't replace them with its own. I say it "may" because I haven't tried that with ASP or ASP.NET, so I don't know how the server will behave. As long as you're not sending any sensitive information in headers they don't matter in terms of hacking and security.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...