For security I want to remove any HTTP headers that reveals details about the OS, Web Server or Framework that my application is running. I was able to remove all from displaying locally with IIS Express using the articles found on SO and elsewhere. Unfortunately when I published to my Azure Web Site preview, three headers remained:
- Server: Microsoft-IIS/7.5
- X-Powered-By: ARR/2.5
- X-Powered-By: ASP.NET
The articles I’m finding are for Azure Web Roles instead of Web Site Preview, such as this one.
Does anyone know how to remove from Web Site Preview?
Windows Azure Websites are shared infrastructure and you do not have access to configure IIS as you do in a Web Role. As you have correctly pointed out you could remove these headers:
but are left with the following:
Even if you implement all the necessary steps to suppress these headers you will see from my blog post that illegal requests will be handled by HTTP.SYS at the kernel level which will return the Microsoft-HTTPAPI/2.0 header. You need to edit the registry to remove this header.
The conclusion is that if you want ultimate control of IIS and HTTP.SYS you will need to host your website in a non-shared infrastructure. So your option is a Web Role in a Windows Azure Cloud Service.