Hiding HTTP Header Information

You are viewing documentation for a version of Secret Server that is no longer supported. Delinea supports Secret Server for one year after release. This version has passed that window and will no longer receive updates. We strongly recommend upgrading to a supported version. Visit the current version of this page for the latest documentation.
For release dates, end-of-support timelines, and upgrade guidance, see the Secret Server Product Lifecycle page.
You can view the latest version of the Secret Server documentation here.

Web applications, such as Secret Server, can leak information useful to attackers via headers, error messages, version numbers, and more. To hide HTTP header information in Secret Server, follow the procedures below.

Hide the IIS Version

To hide the version of IIS used on the server, remove the HTTP header X-Powered-By by following the steps below:

  1. Open the IIS Manager.
  2. In the Connections tree, select the website that Secret Server is running under.
  3. Click the HTTP Response Headers button on the right. The HTTP Response Headers panel appears.
  4. Click to select the X-Powered-By HTTP header.
  5. Click the Remove button in the Actions panel.

Hide the ASP.NET Version

To hide the version of ASP.NET used by the Secret Server application pool, remove the HTTP header X-ASPNET-VERSION by following the steps below:

  1. Open the web.config file for Secret Server, which is located in the root directory for the website.
  2. Inside the <system.web> tag, add the tag <httpRuntime enableVersionHeader="false"/>.
  3. Save the file.

Hide the Server Type

To hide the server type, remove the line, Server: Microsoft-HTTPAPI/2.0 (added by the .NET framework) from the HTTP header using the procedure below:

Although there are other methods for hiding the server type, we strongly recommend updating the Windows registry using the procedure below. Do not simply remove the server header variable. Doing so will cause parts of Secret Server to malfunction.
  1. Navigate to Computer > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > HTTP > Parameters.
  2. Change the DisableServerHeader (REG_DWORD type) registry key from 0 to 1.