Re: Hiding server name in HTTP HEAD
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 01/15/05
- Next message: David Wang [Msft]: "Re: Bug IIS 6 Anonymous Access"
- Previous message: BJ Freeman: "Re: WINDOWS NT AUTHENTICATION"
- In reply to: HTW: "Hiding server name in HTTP HEAD"
- Next in thread: John Cesta: "Re: Hiding server name in HTTP HEAD"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 15 Jan 2005 03:25:59 -0800
You can use URLScan to remove the "Server:" response header of structured
responses.
Or you can write an ISAPI Filter listening to SF_NOTIFY_SEND_RESPONSE and
remove the "Server:" response header to get most of those headers. To get
the ones sent through unstructured responses, you'd have to parse HTTP
response in SF_NOTIFY_SEND_RAW_DATA.
These are the only ways and will likely never change -- you have either
structured or unstructured HTTP responses to deal with, and those are the
ways you deal with them.
However, you should know that security through obscuring Server header is
rather irrelevant. Attackers can easily case your server to figure out what
is on it without needing that header.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "HTW" <me@privacy.net> wrote in message news:enCMyMt%23EHA.1292@TK2MSFTNGP10.phx.gbl... Hi, does anyone know how I can hide the server information in the HTTP HEAD info? This would give attackers a first problem finding out which server product is used and thus where to start... Thx! Thorsten
- Next message: David Wang [Msft]: "Re: Bug IIS 6 Anonymous Access"
- Previous message: BJ Freeman: "Re: WINDOWS NT AUTHENTICATION"
- In reply to: HTW: "Hiding server name in HTTP HEAD"
- Next in thread: John Cesta: "Re: Hiding server name in HTTP HEAD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
