tags:

views:

14

answers:

2
Q: 

Changing headers that IIS/ASP.NET sends. Side-effects?

IIS / ASP.NET sends HTTP headers to identify itself by default. 

Server               Microsoft-IIS/7.5
X-AspNetMvc-Version  2.0
X-AspNet-Version     4.0.30319
X-Powered-By         ASP.NET

Is there any reason not to remove these? Considering the ASP.NET vulnerabilities recently discovered, some people recommend changing the Server header to that of another server, such as Apache, to throw off scanners looking for affected websites. This seems like a good idea. Are there any unwanted side effects that I'm not thinking of?

+1  A: 

In my experience, such tricks are not useful in the least. Spend your time making sure the server is actually secure, rather than wasting time on hacks of essentially no benefit whatsoever. There are plenty of other more reliable ways to know what operating system and web service a server is running.

Andrew Barber  2010-09-20 11:01:00
+1 security through obscurity isn't
annakata  2010-09-20 11:02:46
Thanks Andrew. I'll certainly do my best to ensure that the server is actually secure. So long as there are no negative side affects I'll throw off any automated scanners that read headers using this technique too.
Mr. Flibble  2010-09-20 11:35:14
+2  A: 

I agree with Andrew, but for practical purposes yes this is possible (see here) and I am not aware of any negative side-effects - I believe these exist purely for stat-gathering and "advertising" purposes and the ubiquitous "reserved for future use".

annakata  2010-09-20 11:08:41
I neglected to be complete with my answer, and to note as annakata does that I am not aware of any negative side-effects, either!
Andrew Barber  2010-09-20 11:18:33

related questions

can i use "http header" to check if a dynamic page has been changed.
What should the HTTP response be when the resource is forbidden but there's an alternate resource?
How to detect when a user has successfully finished downloading a file in php
Interesting UTF-8 Yahoo File Download Headers
Access HTTP response headers in for flash.net.URLLoader object?
A way to prevent a mobile browser from downloading and displaying images
PHP - Custom error handling. Redirected 404 is being hijacked by AVG Anti-Virus. How to stop?
Where can I find a List of Standard HTTP Header Values?
Why is Apache + Rails is spitting out two status headers for code 500?
Why do I get "Cannot redirect after HTTP headers have been sent" when I call Response.Redirect(url)?
Possible to detect the *type of mobile device* via javascript or HTTP Headers?
Set up an HTTP proxy to insert a header
File name corruption on file download (IE)
How do I know WHEN to close an HTTP 1.1 Keep-Alive Connection?
How can I perform a HEAD request with the mechanize library?
How do I find the mime-type of a file with php?
HttpHeaders in ASP.NET 1.1
C# Get http:/.../File Size
Client-side detection of HTTP request method
How do you send a HEAD HTTP request in Python?
Specific Client Detection based on headers. Firefox extension?
How to encode the filename parameter of Content-Disposition header in HTTP?
How to set an HTTP header while using a Flex RemoteObject method ?
Making sure a web page is not cached, across all browsers.
IE6 and Caching