This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice This article is not considered official documentation for K2 software and is provided “as is” with no warranties.

Issue

If you are performing penetration test on your SmartForms, you may encounter a warning about how the HTTP response headers returned contains information about the web server which could be useful to attackers.

Symptoms

Penetration test report highlights the following HTTP headers that pose security issues:

  • X-AspNet-Version
  • X-AspNetMvc-Version 
  • X-Powered-By 
  • Server

Image

Resolution

Please note that these headers are not added by K2, but inserted automatically by IIS and .NET Framework.

To remove the X-AspNet-Version, X-AspNetMvc-Version, and Server headers:

  1. If you are using Forms STS for authentication, go to [Program Files]\K2 blackpearl\WebServices\Identity\Sts\Forms.
  2. Alternatively, if you are using Windows STS, go to [Program Files]\K2 blackpearl\WebServices\Identity\Sts\Windows.
  3. Open Global.asax with a text editor
  4. Append the following line and save:

    <script runat="server">
     protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
     {
       HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
       HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
       HttpContext.Current.Response.Headers.Remove("Server");
     }
    </script>

To remove the X-Powered-By header:

  1. Open IIS Manager
  2. Expand Sites > [Your K2 Site] > Identity > Sts
  3. Select Forms if you are using Forms STS for authentication. Otherwise, select Windows if you are using Windows STS.
  4. Select HTTP Response Headers

    Image

  5. Remove X-Powered-By:

    Image

Once you are done, perform a IISRESET, clear browser cache, and check again if the headers appear.