Removing Unnecessary HTTP Headers in IIS and ASP.NET

<p> Whenever a browser makes an request to a web server, it sends along several headers</i>. These Headers are used to provide the web server with information to assist with handling the request. For instance, if the browser supports compression it will send along an <code>Accept-Encoding</code> Header, which lets the web server know what compression algorithms the browser can work with. Any cookies previously set by the web server are sent from the browser back to the server via the Header. The browser also sends the <code>User-Agent</code> Header, which the web server can parse to determine the browser (IE, Firefox, Safari, etc.), the version number, the operating system, and other information. </p><p> Similarly, the web server includes a number of Headers when it sends back the contents of the requested resource. These headers are used by the browser to determine how to render the content and for how long to cache the content. The web server also sends back identifying information, much like the <code>User-Agent</code> request Header. These identifying headers indicate the web server version along with the ASP.NET version(s) being used. </p><p> While certain Headers are necessary, the web identifying Headers are not necessary. Their inclusion inflates each response by around 100 bytes. Granted, 100 bytes is not much when taken alone, but when taken in the context of thousands or millions of requests over the course of time, those 100 bytes add up. Furthermore, providing identifying information can pose a security risk. An attacker who knows of a vulnerability in a particular web server and ASP.NET version combination could hunt for targets requests to many different servers and flagging those that return the particular web server/ASP.NET version numbers. </p><p> This article looks at how to remove these identifying Headers in both IIS 6 and IIS 7. Read on to learn more! <br /><a More &gt;</a></p>

Read More...

---