Shhh… don’t let your response headers talk too loudly

added by troyhunt
2/28/2012 6:28:42 AM


Response headers are those little titbits of information your app is letting loose into the wild that you probably hadn’t even given a second thought. On the surface, this is innocuous data of no use to anyone, but dig a little deeper and suddenly it becomes quite useful to evildoers. Here’s a quick overview of what they are, why they can be a security concern, how to turn them off and also how to quickly test for them on your existing websites.


2/28/2012 9:16:44 AM
I agree with turning off these headers. They're of no use to the client, and just make it easier for people to determine whether the site is vulnerable. I don't think it's security through obscurity because even though the process for running a hypothetical exploit may be automated, time and bandwidth are still a constraint and anyone seeking to exploit vulnerable sites are going to go for the low-hanging fruit.

2/28/2012 9:34:14 AM
Actually I don't understand why these headers even exist in the first place...

2/28/2012 10:18:07 AM
I would have thought that some of the headers would have been useful for generic stats (ie. Google trawling the web to find out how many sites are run on IIS) - however going down to version numbers is a bit risky in my opinion.