Reputation: 121
Can't Remove Server Name in Request Header in HTTP- Azure App Service
I've did the necessary web.config (found in D:\home\site\wwwroot), this also have a rewrite rule to redirect all to https
<configuration>
<system.web>
<!-- <compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" enableVersionHeader="false" />-->
<httpRuntime enableVersionHeader="false" />
<!--<customErrors mode="RemoteOnly" defaultRedirect="https://concierge.digitaldesk.accenture.com"/>-->
</system.web>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true"/>
</security>
Based on https://securityheaders.com/
Raw Headers With Redirect
Raw Header Without the redirect
It suddenly shows the server name, i need to remove it also.
Please help!!
Upvotes: 2
Views: 1995
Answers (2)
Reputation: 673
I think your problem is related to the settings "HTTPS only" from the web app TLS/SSL settings section in Azure Portal. If you have "HTTPS only" set to ON, the first request to HTTP ( not HTTPS ) doesn't hit your application code and your web.config doesn't apply. Microsoft is directly responding with 301 ( + Server Header ). The next request doesn't have the server name because the web.config rules are applying.
Try to disable "HTTPS only" and do the redirect with a rule in web.config or in application code. This should fix the problem.
To prove my analysis, with the "HTTPS only" set to ON, search in logs for requests to http: If you have application insights set up you can query the logs like this
requests
| where url startswith "http:"
| order by timestamp desc
If my analysis is correct you will not find any request there. But if you disable "HTTPS only" then you will also see the request to http
Upvotes: 2
Reputation: 3494
I can't reproduce this issue on my side. Both redirect and non-redirect request will be removed on my side. Did you missed to set disableServerHeader for original URL? And have you tried to clean browser cache because 301 redirection can be cached.
I think you could use outbound rule instead because IIS outbound rule will remove the value of response_server header all the time.
<outboundRules>
<rule name="Remove response">
<match serverVariable="RESPONSE_SERVER" pattern="(.*)" />
<action type="Rewrite" />
</rule>
</outboundRules>
Upvotes: 0
Related Questions
- Remove server header from Application Gateway V2
- Remove HTTP server and X-Powered-By headers
- Azure WebApp remove 'Server' header for bad requests
- How to remove server info header from web api core 3.1 response which is hosted as azure web app?
- How to remove Server Header Azure App Service when requesting with Connect HTTP method
- How to hide Server parameter in response header of Azure app Service?
- How to remove "Microsoft-HTTPAPI/2.0" from http response header on App Service Web App
- Why does removeServerHeader work in an Azure Web App?
- ASP.NET Core Azure App Service httpContext.Request.Headers["Host"] Value
- Remove Server:HTTPAPI/2.0 header on invalid request