Prevent Azure app service from returning server information during an NMap scan

Question

I have a VueJs application hosted on Azure which is returning the following information when the application url is scanned using NMap. How do I prevent the highlighted information from being returned?

I already have the following in the Web.Config file for the VueJs application (inside the public folder):

<configuration>
  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

Is there anything that I'm missing?

Answer 1

We have a feature request on this. Kindly upvote this request: remove server header from the front end servers

Our product engineering has been evaluating the feature request (or / for any short-term possibilities), however there is no concrete info/ETA to share.

Just to highlight on the alternate solution(s):

1.If your requirements fits, you may leverage App Gateway - It has the capability to completely remove the “Server” response header from responses and will not reveal even the server version of the proxy itself. The security scans will be successful at this point.

2.App Gateway is a regional service capable of hosting upto 100 endpoints. It would be one App Gateway per region per 100 sites behind the reverse proxy.

--Depending the scenario/requirement -Although I certainly understand this alone costs overhead and maintenance effort and may not be a suitable option for every case.

--Additionally - It is not currently possible to implement a custom error page instead of the default “Azure 404” or similar pages. Feature request for custom 403 or 503 - please consider to up-vote this feature request.

Kindly be assured that, I have relayed your feedback to our product engineering team. Thanks for your patience!