How to edit server information in response sent to client.

  • Article

The scenario is that you wish to hide the server information that is sent from IIS to the client in the response in order to disallow someone to figure out certain information about the machine that IIS runs on via, for example, running a network trace.

 

As an example, taking a network trace when doing a simple request on one of my sites will show this in the trace:

 

- Http: Response, HTTP/1.1, Status: Ok, URL: /EditResponse/Default.aspx

    ProtocolVersion: HTTP/1.1

    StatusCode: 200, Ok

    Reason: OK

    Cache-Control: private

  + ContentType: text/html; charset=utf-8

    ContentEncoding: gzip

    Vary: Accept-Encoding

    Server: Microsoft-IIS/7.5

    XAspNetVersion: 4.0.30319

    XPoweredBy: ASP.NET

 

So we can see that the server is IIS 7.5. And so, we wish to hide or change this in the response so that this information is not accessible via a network trace.

 

One way to do this is to create a custom HttpModule that edits the response before sending it.

 

. Using Visual Studio, create a new “Class Library” project and call it, for example, “ObfuscateResponse”

. Add a reference to “System.Web” to the project.

. Change the class name to, for example, “ObfuscateResponseModule” and inherit the “IHttpModule”

. Implement the interface (if using VS 2012 you can right click “IHttpModule” and select “Implement Interface”).

. Remove the generated code from the Dispose method.

. In the Init method, hook up the “HttpApplication.PreSendRequestHeaders” event to a method call, for example, “EditReponse”

. In the “EditReponse” method edit the response header to change the server header to your liking.

 

Now you should have something like this:

 

namespace ObfuscateResponse

{

    publicclassObfuscateResponseModule : IHttpModule

    {

        publicvoid Dispose(){}

 

        publicvoid Init(HttpApplication context)

        {

            context.PreSendRequestHeaders += EditResponse;

        }

 

  void EditResponse(object sender, EventArgs e)

        {

            HttpContext.Current.Response.Headers.Set("Server", "Not For Your Eyes!");

        }

    }

}

 

. Build the project and copy the resulting .dll (ObfuscateResponse.dll in this case) to the “bin” folder of your web application.

. Open the web.config in of your web application and insert this:

 

  <system.webServer>

    <modules>

      <addname="ObfuscateResponseModule"type="ObfuscateResponse.ObfuscateResponseModule" />

    </modules>

  </system.webServer>

 

. Run a new request to the site with network monitor tracing on. Now the capture should contain the obfuscated Server information:

 

- Http: Response, HTTP/1.1, Status: Ok, URL: /EditResponse/Default.aspx

    ProtocolVersion: HTTP/1.1

    StatusCode: 200, Ok

    Reason: OK

    Cache-Control: private

  + ContentType: text/html; charset=utf-8

    ContentEncoding: gzip

    Vary: Accept-Encoding

    Server: Not For Your Eyes!

    XAspNetVersion: 4.0.30319

    XPoweredBy: ASP.NET

 

This is solution allows you to have one assembly that you can use for multiple sites. You can edit global.asax to do the same thing, i.e.:

 

void Application_PreSendRequestHeaders(object sender, EventArgs e)

{

  HttpContext.Current.Response.Headers.Set("Server", "Not For Your Eyes!");

}

 

But then it will be used only for that application

 

 

“Global.asax”

https://wiki.asp.net/page.aspx/553/globalasax/

“HttpApplication.PreSendRequestHeaders Event”

https://msdn.microsoft.com/en-us/library/system.web.httpapplication.presendrequestheaders.aspx