Jeff Sanders Technical Blog

I am a Microsoft employee that has worked on all aspects of the Web Stack for a long time. I hope these blogs are useful to you! Use this information at your own risk.


<< Go Back

Remove Server And X Powered By Headers From Your Azure Mobile Apps

- 07 Oct 2015

Knowing the server type and what it is running can be information that an attacker may leverage.  This article explains how you can remove the subject headers.
Azure Mobile Apps are really Azure Web Apps.  You can configure the headers by altering the Web.Config just like you would with a standard ASP.Net application!

Problem

Here is an example of the headers returned from a simple Azure Mobile App (replace contosomobileapp with the name of your Mobile app):
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 422
Content-Type: application/json; charset=utf-8
Expires: 0
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Set-Cookie: ARRAffinity=df41f72d5dafaca237feeeb4df546bb62b24197ead56d3e53c2496c1f90fe094;Path=/;Domain=contosomobileapp.azurewebsites.net
Date: Wed, 07 Oct 2015 13:13:57 GMT

Solution

Open the site Web.Config in your Visual Studio project and find the **_** section [snip_20151007093103](/assets/images/MSDNBlogsFS/prod.evol.blogs.msdn.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/83/94/metablogapi/0638.snip_20151007093103_17AE4C75.png) Add these two sections inside this section: **Copy Code:**

    <security>
      <requestFiltering removeServerHeader ="true"></requestFiltering>
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By"/>
      </customHeaders>
    </httpProtocol>

So the final Web.Config section will look something like this:
snip_20151007095619
(you can ignore the squiggle under removeServerHeader)
Now right mouse click on the Web.Config in your Solution Explorer view and choose publish:
Untitled

Result

The headers are removed:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 422
Content-Type: application/json; charset=utf-8
Expires: 0
Set-Cookie: ARRAffinity=df41f72d5dafaca237feeeb4df546bb62b24197ead56d3e53c2496c1f90fe094;Path=/;Domain=contosomobileapp.azurewebsites.net
Date: Wed, 07 Oct 2015 13:19:07 GMT
 

Conclusion

As you can see Azure Mobile Apps are really Azure Web Sites with some additional code to access and present data.  You can easily configure your Azure Mobile App using the Web.Config like you would for an ASP.Net app deployed on Azure Web Sites.
Let me know if this was a help to you!  Also see this post:

How to deny HTTP methods (or verbs) in Azure Web Apps

 
Ref: https://azure.microsoft.com/en-us/blog/removing-standard-server-headers-on-windows-azure-web-sites/

<< Go Back