remove server - header from error - page

Matthias Gwiozda 21 Reputation points
2021-12-06T11:31:29.117+00:00

When calling the following command on linux, the server prints some information, which should not be printed due to security reasons: 

curl -s -D - https://chatbot-adminui-dev.azurewebsites.net/ -H "Host: "

We want the server -header to disapear here.
The html - page has a title, which exposes the technology - stack, which we are using on azure (Microsoft Azure Web App - Error 404).

We want a generic 404 - page here, which doesn't show any additional information about the server or even the version. How can we achieve this?

Are we even able to change this "internal - looking" error pages of azure?

We followed all the steps in this post: https://azure.microsoft.com/de-de/blog/removing-standard-server-headers-on-windows-azure-web-sites/

but the headers doesn't disappear for the error page caused by the manipulated http - request with an empty host - header.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,852 questions
Accepted answer
  1. ajkuma 22,241 Reputation points Microsoft Employee
    2021-12-09T05:17:25.783+00:00

    I completely understand your scenario and points. Our product engineering has been evaluating the feature request (or / for any short-term possibilities), however there is no concrete info/ETA to share.

    Just to highlight more on the alternate solution:

    1.App Gateway is the correct service to solve this problem. It has the capability to completely remove the “Server” response header from responses and will not reveal even the server version of the proxy itself. The security scans will be successful at this point.

    2.App Gateway is a regional service capable of hosting upto 100 endpoints. It would be one App Gateway per region per 100 sites behind the reverse proxy.
    Depending the scenario/requirement -Although I certainly understand this alone costs overhead and maintenance effort and may not be a suitable option for every case.

    3.App Service product group is considering this feature and may have an update soon, although there is no concrete ETA.
    Kindly consider to upvote this feature request: remove server header from the front end servers

    4.It is not currently possible to implement a custom error page instead of the default “Azure 404” or similar pages.
    Feature request for custom 403 or 503 - Kindly up-vote this feature request.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest