Cisco ASA: How can I remove the header Server and X-Powered-By from http server service?

julioegb · ‎11-13-2020

Hi community friends,

We recently had a pentesting in my company. I have an ASA 5508 for Anyconnect VPNs, version 9.8 (3) 29. During the audit, the following vulnerability appeared: Security headers not configured. They gave me the following link: https://medium.com/guayoyo/asegurando-las-cabeceras-de-respuestas-http-en-servidores-web-apache-y-nginx-2f71e62ffda4. The problem is that the https responses from the ASA are including the Server & X-Powered-By headers.

I want to know how I can remove those headers for the https responses??? Can I make an update to solve this issue???

marce1000 · ‎11-13-2020

- As the product can be seen as being an appliance in this context, presumably only by making a support case, or filing an enhancement request.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Aref Alsouqi · ‎11-14-2020

The only two headers I'm aware of that you can remove on the ASA are the x-content and the x-xss. However, it is very interesting to see the ASA returning the Server and the x-powered values as I think it should not. Did you know if that scanner was running on the ASA outside interface or on the inside? did you actually see those values reported by the pentest scanner?