Table of Contents

HTTP headers

HTTP response headers allow you to instruct how the browser should behave when handling data. The HTTP headers below provide extra protection layers to mitigate vulnerabilities (e.g. cross-site scripting, clickjacking, information disclosure, etc.).

Server Header

The Server header describes the software used by the web server handling the request. This may allow attackers to gain insight into the version or type of the web server.

To remove the Server header in IIS, create an outbound rewrite rule that removes the value for the Server header.

To create the outbound rewrite rule:

  1. Open IIS Manager.

  2. In the Connections pane on the left, select Default Web Site.

  3. In the middle pane, double-click URL Rewrite.

  4. In the Actions pane on the right, click Add Rule(s).

  5. Under Outbound rules, select Blank rule, and click OK.

  6. In the Match pane, set Matching scope to Server Variable.

  7. Set the Variable name to RESPONSE_SERVER

  8. Set the Regular Expressions pattern to .*.

  9. Leave the Action type set to Rewrite and leave the Value field empty.

  10. In the Actions pane, click Apply.

  11. Restart IIS

Alternatively, you can add the following XML in the <system.webServer> element of C:\Skyline DataMiner\Webpages\web.config and then restart IIS:

<rewrite>
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_SERVER" pattern=".*" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>

X-Powered-By

The X-Powered-By header describes technologies in the web server. Threat actors could gain valuable knowledge because of this.

To remove the X-Powered-By response header:

  1. Open IIS Manager.

  2. In the Connections pane, select the web server by clicking the server name.

  3. In the middle pane, double-click HTTP Reponse Headers.

  4. Select X-Powered-By, and click Remove in the Actions pane.

  5. Click Yes when asked to confirm the removal.

HSTS - Strict Transport Security

To bypass TLS encryption on websites served over HTTPS, attackers can use SSL stripping. To mitigate this type of attack, set the Strict-Transport-Security (HSTS) response header. This will instruct the browser to always load DataMiner over HTTPS.

To enable Strict Transport Security:

  1. Open IIS Manager.

  2. In the Connections pane on the left, expand the top node and Sites node until you see Default Web Site.

  3. Right click Default Web Site and select Manage Website > Advanced settings.

  4. Under Behavior, expand HSTS.

  5. Set Enabled to True.

  6. Set IncludeSubDomains to True.

  7. Set Max-Age to 31536000 seconds (i.e. 1 year).

  8. Optionally, set Preload to True.

  9. Optionally, set Redirect Http to Https to True

  10. Click OK.

Tip

For information about HSTS, see HSTS Cheat Sheet.