Hiding HTTP Response Headers with Azure Front Door

HTTP Response Headers from your server can contain plenty of useful information. Some of it however you may wish to keep private, especially anything that indicates publicly what your tech stack looks like.

A good example here is X-Aspnet-Version, which as the name suggests indicates what version of ASP.NET you’re running. You probably already know this, and there is little to be gained from advertising it publicly apart from a security risk.

Removing headers is easy enough in IIS and it’s something I’ve done in the past using URL Rewrite and HTTP Response Headers.

It’s also fairly simple to control headers in Azure Front Door. The example below clearly shows the X-Aspnet-Version header.

This header can be removed by creating a simple rule set and assigning that rule to your route.

You can also use rules to add headers to help with checking that your routing is as you would expect. With all of the above you could write another rule that will hide them all once you’re happy that your application is stable, that rule could be removed when any investigation is required.