Header 'RESPONSE_Server' overridden and 'enableVersionHeader' set to 'false' following the OWASP security best practice

Author: lorenzobruni

.gitignore

@@ -0,0 +1,8 @@
+/src/.vs
+/src/API.Library/bin
+/src/API.Library/obj
+/test/.vs
+/test/API.Test/bin
+/test/API.Test/obj
+/test/API.Test/Logs
+/test/API.Test/API.Test.csproj.user

test/API.Test/Web.Live.config

@@ -26,6 +26,10 @@
 			</rules>
 			 -->
 			<outboundRules>
+				<rule name="Hide Server Header">
+					<match serverVariable="RESPONSE_Server" pattern=".+" />
+					<action type="Rewrite" value="n/a" />
+				</rule>
 				<!-- Private CORS - Default -->
 				<rule name="Access-Control-Allow-Origin" enabled="true" patternSyntax="Wildcard">
 					<match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern="*" />
@@ -290,4 +294,4 @@
 		</appender>
 	</log4net>
 
-</configuration>
+</configuration>

test/API.Test/Web.Test.config

@@ -26,6 +26,10 @@
 			</rules>
 			 -->
 			<outboundRules>
+				<rule name="Hide Server Header">
+					<match serverVariable="RESPONSE_Server" pattern=".+" />
+					<action type="Rewrite" value="n/a" />
+				</rule>
 				<!-- Private CORS - Default -->
 				<rule name="Access-Control-Allow-Origin" enabled="true" patternSyntax="Wildcard">
 					<match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern="*" />
@@ -278,4 +282,4 @@
 		</appender>
 	</log4net>
 
-</configuration>
+</configuration>

test/API.Test/Web.UAT.config

@@ -26,6 +26,10 @@
 			</rules>
 			 -->
 			<outboundRules>
+				<rule name="Hide Server Header">
+					<match serverVariable="RESPONSE_Server" pattern=".+" />
+					<action type="Rewrite" value="n/a" />
+				</rule>
 				<!-- Private CORS - Default -->
 				<rule name="Access-Control-Allow-Origin" enabled="true" patternSyntax="Wildcard">
 					<match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern="*" />
@@ -290,4 +294,4 @@
 		</appender>
 	</log4net>
 
-</configuration>
+</configuration>

test/API.Test/Web.config

@@ -27,7 +27,7 @@
 	<system.web>
 		<compilation debug="true" targetFramework="4.7.2" />
 		<!-- executionTimeout (Seconds), maxRequestLength (KB) must match maxAllowedContentLength (B) -->
-		<httpRuntime targetFramework="4.7.2" executionTimeout="600" maxRequestLength="131072" />
+		<httpRuntime targetFramework="4.7.2" executionTimeout="600" maxRequestLength="131072" enableVersionHeader="false" />
 	</system.web>
 
 	<system.webServer>
@@ -66,6 +66,10 @@
 
 		<rewrite>
 			<outboundRules>
+				<rule name="Hide Server Header">
+					<match serverVariable="RESPONSE_Server" pattern=".+" />
+					<action type="Rewrite" value="n/a" />
+				</rule>
 				<!-- Private CORS - Default -->
 				<rule name="Access-Control-Allow-Origin" enabled="true" patternSyntax="Wildcard">
 					<match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern="*" />