Aspect Security Blog Insecure HTTP Header Removal

This page is a collection of instructions to remove unnecessary server headers which may be reported as part of a Penetration Test performed by a security engineer or reported via automated tools. I have cataloged these remediation instructions for many technologies in one place to save the vast amounts of searching required for some of the more obscure technologies. Each section below is be divided into a short solution and along with a longer one. The "Short Answer" gives the quick means to remove the offending header while the "Long Answer" gives more details along with alternate and (perhaps) more thorough solutions.Why bother? In general, excessive headers are bad:They expose what version of software is running on the server, reducing the work an attacker needs to do before trying to attack the system.Headers are the same for a normal user or an attacker. So, a known long string of characters in an encrypted data stream might aid an attacker in cracking open the encrypted TLS connection of another user.It's a general waste of bandwidth and processing power.