Unwanted HTTP header in response

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This publicly exposed API endpoint was found responding with headers that reveal sensitive information about the technology stack, server configuration, or infrastructure details. The presence of these headers provides potential attackers with valuable reconnaissance information that could be used to target specific vulnerabilities in the identified technologies.

Which headers are considered unwanted?

  • X-AspNet-Version: Reveals the specific ASP.NET version in use.
  • X-AspNetMvc-Version: Exposes the ASP.NET MVC framework version.
  • X-Powered-By: Discloses the technology powering the application (PHP, ASP.NET, etc.).
  • Server: Reveals web server software and version information.
  • Via: Exposes proxy server information.
  • X-Generator: Reveals the framework or CMS used to generate the content.
  • X-Backend-Server: Exposes internal infrastructure details.

These headers are checked in the service response on common HTTP response codes: 200, 400, 403, 405, and 500.

Remediation

Remove or suppress the unwanted headers from all API responses to minimize information disclosure.

Suppression examples:

# for ASP.NET Applications in web.config
<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
      <remove name="Server" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

# For Apache Web Server in httpd.conf or .htaccess
ServerTokens Prod
ServerSignature Off
Header unset X-Powered-By
Header unset Server

# For nginx in nginx.conf
server_tokens off;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;