cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
840
Views
0
Helpful
2
Replies

Cisco ASA: How can I remove the header Server and X-Powered-By from http server service?

julioegb
Level 1
Level 1

Hi community friends,

 

We recently had a pentesting in my company. I have an ASA 5508 for Anyconnect VPNs, version 9.8 (3) 29. During the audit, the following vulnerability appeared: Security headers not configured. They gave me the following link: https://medium.com/guayoyo/asegurando-las-cabeceras-de-respuestas-http-en-servidores-web-apache-y-nginx-2f71e62ffda4. The problem is that the https responses from the ASA are including the Server & X-Powered-By headers.

 

I want to know how I can remove those headers for the https responses??? Can I make an update to solve this issue???

2 Replies 2

marce1000
VIP
VIP

 

 - As the product can be seen as being an appliance in this context, presumably only by making  a support case, or filing an enhancement request.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

The only two headers I'm aware of that you can remove on the ASA are the x-content and the x-xss. However, it is very interesting to see the ASA returning the Server and the x-powered values as I think it should not. Did you know if that scanner was running on the ASA outside interface or on the inside? did you actually see those values reported by the pentest scanner?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: