IIS7 Header Block v1.0 released

HTTP headers are name/value sets of data that are transmitted between the client (web browser) and the web server. HTTP headers are used to transmit key data such as HTTP cookies.

Excessive HTTP headers can aid an attacker by either identifying particular technologies used within a web application or presenting specific software version information. Whilst minimising the attack surface by preventing information leakage is not a panacea it is a step towards improving security.

With the introduction of new Microsoft frameworks such as ASP.Net and MVC it appears that the number of HTTP headers returned by the IIS web server is increasing. An example of these headers is shown below:

Server: Microsoft-IIS/7.5
X-AspNetMvc-Version: 2.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

The commonly recommended method for removing HTTP headers within a Microsoft environment involves a combination of URLScan, application web.config changes and changes via the IIS Manager application. However, this is not convenient for large scale infrastructures and it should also be noted that the Server header cannot be removed by any of these methods for IIS 7.

With the increased popularity of the Microsoft IIS7 web server, it is important that specific security recommendations can be applied to the latest web server technologies.

HeaderBlock is a .Net module that presents an easy way to remove key HTTP headers before they are transmitted from the web server to the client. The current list of blocked headers is as follows: