3.11 Ensure X-Powered-By Header is removed - Applications

Information

The x-powered-by headers may specify the underlying technology used by an application. Attackers are able to conduct reconnaissance on a website using these response headers. This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology. Removing this header will prevent targeting of your application for specific exploits by non-determined attackers.

Rationale:
While this is not the only way to fingerprint a site through the response headers, it makes it harder and prevents some potential attackers.

Solution

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpProtocol /-'customHeaders.[name='X-Powered-By']' /commit:apphost

OR

Enter the following command in PowerShell to configure:
Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webserver/httpProtocol/customHeaders' -name '.' -AtElement @{name='XPowered-By'}

See Also

https://workbench.cisecurity.org/files/2220

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30, CSCv7|14.4

Plugin: Windows

Control ID: 4560e9db8e950ff89fa5db2dc5c19e4f830fb61f94bf11153180830c686eb398