Get started Bring yourself up to speed with our introductory content.

How to manage HTTP response headers for IIS, Nginx and Apache

HTTP response header configuration files on servers need to be set up properly to secure sensitive data. Expert Judith Myerson outlines how to do this on different types of servers.

Microsoft Internet Information Services (IIS), Nginx and Apache servers have different ways of handling configuration...

files and preventing the disclosure of sensitive information about the servers. Here are some guidelines to navigate the differences between the servers to avoid insecure configurations.

Microsoft IIS server

For a programming-savvy system administrator, it's much easier to work with the source code of configuration files than to navigate through and edit pictures in the IIS Manager's graphical user interface. Microsoft Visual Code, a free source editor, can be used to edit the file.

HTTP response headers are added to the customHeaders block under the system.webserver/httpProtocol directory, as seen here:

<system.webServer>

<httpProtocol>

<customHeaders>

<clear />

<add name="X-Xss-Protection" value="1;mode=block" />

<add name="X-Frame-Options" value="sameorigin" />

<add name="X-Content-Type-Options" value="nosniff" />

<add name="Strict-Transport-Security"

value="max-age=31536000;includeSubDomains" />

</customHeaders>

</httpProtocol>

</system.webServer>

To prevent disclosing what ASP.NET version the server runs on, the version header can be suppressed in the system.web section of the configuration file, as seen here:

<system.web>

<httpRuntime enableVersionHeader="false" />

</system.web>

By default, the server broadcasts the version of the IIS software on which it runs. IIS 10 allows suppression of this HTTP response header by setting the removeServerHeader attribute to true, as shown here:

<system.webServer>

<httpProtocol>

<security>

<requestFiltering removeServerHeader="true" />

</security>

</httpProtocol>

</system.webserver>

Prior to version 10, IIS allowed changes to the messages displayed in headers about the server and the framework used to power it. With a new value, the server header looks like this:

Server: Hello World!

Two other steps are needed to make the changes. The first step is to add server variables named RESPONSE_SERVER and RESPONSE_X-POWERED-BY in the rewrite section of the configuration file. The configuration files will not work properly if the same variables are added more than one time.

<system.webServer>

<rewrite>

<!-- Add the variables once and then comment out -->

<allowedServerVariables>

<add name="RESPONSE_SERVER" />

<add name="RESPONSE_X-POWERED-BY" />

</allowedServerVariables>

</rewrite>

</system.webServer> 

The second step is to set up outbound rules to rewrite or empty the values for response headers. The server variables must be matched with RESPONSE_SERVER and X-POWERED-BY. The first rule rewrites the default value to a new value of Hello World! The second rule empties the value for the x-powered-by header.

<system.webServer>

<rewrite>

<outboundRules>

<rule name="remove server response header" >

<match serverVariable="RESPONSE_SERVER" pattern=".*" />

<action type="Rewrite" value="Hello World!" />

</rule>

<rule name="Remove X-Powered-By Header">

<match serverVariable="RESPONSE_X-POWERED-BY" pattern=".*"/>

<action type="None" />

</rule>

</outboundRules>

</rewrite>

</system.webServer>

Depending on the Microsoft IIS version, the second rule can be replaced with one line that removes the x-powered-by HTTP response header under the customHeaders section of the configuration.

<system.webServer>

<httpProtocol>

<customHeaders>

<remove name="X-Powered-By" />

</customHeaders>

</httpProtocol>

</system.webServer>

Nginx server

HTTP security headers are added to the Nginx configuration file (nginx.conf) under the server block. The block includes the listen directive that tells Nginx which port it should listen to for HTTP connections.

Server {

listen 8080;

server_name example.com;

               

add_header X-Frame-Options "SAMEORIGIN";

add_header X-Xss-Protection "1;mode=block";

add_header X-Content-Type-Options "nosniff";

add_header Strict-Transport-Security "maxage=31536000;includeSubDomains";

}

The server_name directive enables multiple domains to be served from a single IP address. The server decides which domain to serve based on the request header it receives -- for example, when someone requests a particular URL.

Typically, one file may be created per domain to be hosted on a server. Each file should have its own server block configured.

Nginx's configuration file doesn't allow changes to the value of the server HTTP response header. The server_name directive or the server block is not the same as the server response header. To make changes to the Nginx response header, an Nginx source file must be downloaded, extracted and opened for editing using these commands:

wget http://ngnix.org/download/nginx-1.13.7.tar.gz

tar -xzvf nginx-1.7.10.tar.gz

nano nginx-1.7.10/http/ngx_http_header_filter.module.c

While editing the configuration file (ngx_http_header_filter.module.c), scroll down to the two lines displaying the software version the server is running. The server software name is displayed.

static char ngx_http_server_string[] = "Server: nginx" CRLF;

static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;

To prevent hackers from seeing what software the server is running, the software name must be changed:

static char ngx_http_server_string[] = "Server: Hello World!!!" CRLF;

static char ngx_http_server_full_string[] = "Server: " Hello World!!! CRLF;

Like any source file, the changes take effect after saving, compiling and installing Nginx.

Apache server

The Apache server configuration file is found in this directory for Debian or Ubuntu systems:

/etc/apache2/apache2.conf

For Red Hat, CentOS or Fedora systems, the Apache configuration file is found here:

/etc/httpd/conf/httpd.conf

HTTP security headers can be added to the IfModule section in the configuration file.

<IfModule mod_headers.c>

Header always set X-Xss-Protection "1; mode=block"

Header always set X-Content-Type-Options "nosniff"

</IfModule>

By default, the server returns information on what version Apache is running. To remove the information, open the configuration file with a text editor. Search for ServerSignature and set it to Off. The next line must show SearchTokens Prod. The server must be restarted for the changes to take effect.

Conclusion

Preventing hackers and attackers from taking advantage of sensitive information about servers is an important consideration when configuring files on Microsoft IIS, Nginx and Apache servers. Each server has its own rules for replacing or removing the information. To learn more about HTTP response headers, see RFC 7231, "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content," which describes how HTTP messages, including HTTP security responses, are used and configured.

This was last published in December 2017

Dig Deeper on Web server threats and application attacks

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How does your organization handle configuration files for server security?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close