Remove ‘Server’ and ‘X-Powered-By’ headers from your Azure Mobile Apps
Knowing the server type and what it is running can be information that an attacker may leverage. This article explains how you can remove the subject headers.
Azure Mobile Apps are really Azure Web Apps. You can configure the headers by altering the Web.Config just like you would with a standard ASP.Net application!
Problem
Here is an example of the headers returned from a simple Azure Mobile App (replace contosomobileapp with the name of your Mobile app):
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 422
Content-Type: application/json; charset=utf-8
Expires: 0
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Set-Cookie: ARRAffinity=df41f72d5dafaca237feeeb4df546bb62b24197ead56d3e53c2496c1f90fe094;Path=/;Domain=contosomobileapp.azurewebsites.net
Date: Wed, 07 Oct 2015 13:13:57 GMT
Solution
Open the site Web.Config in your Visual Studio project and find the <system.webServer > section
Add these two sections inside this section:
Copy Code:
<security>
<requestFiltering removeServerHeader ="true"></requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By"/>
</customHeaders>
</httpProtocol>
So the final Web.Config section will look something like this:
(you can ignore the squiggle under removeServerHeader)
Now right mouse click on the Web.Config in your Solution Explorer view and choose publish:
Result
The headers are removed:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 422
Content-Type: application/json; charset=utf-8
Expires: 0
Set-Cookie: ARRAffinity=df41f72d5dafaca237feeeb4df546bb62b24197ead56d3e53c2496c1f90fe094;Path=/;Domain=contosomobileapp.azurewebsites.net
Date: Wed, 07 Oct 2015 13:19:07 GMT
Conclusion
As you can see Azure Mobile Apps are really Azure Web Sites with some additional code to access and present data. You can easily configure your Azure Mobile App using the Web.Config like you would for an ASP.Net app deployed on Azure Web Sites.
Let me know if this was a help to you! Also see this post:
Ref: https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/