the next door (so called) geek

@rakkimk | your next door geek | friend | blogs mostly on technology, and gadgets.

Removing the X-Powered-By response header from Windows Azure Web Sites

People do want to remove this header as a part of some of their security audit that claims to know the server software running their site, and that knowledge will make an attacker craft malicious attacks known for that server version. If you are on latest versions of any server side framework, you should be good. But, some think it is always a good idea to remove that.

In PHP, you have to set the expose_php setting to Off to hide the PHP version information from the response headers. In Windows Azure Web Site, you can have optional .user.ini file where some of the PHP settings can be overridden. You can look at the steps mentioned in this article. For example, look at this blog by one of my colleague talking about increasing the upload limit for the files. However, there are a few core PHP settings that cannot be overridden from this .user.ini file. Don’t worry, WAWS gives you an option to host your custom PHP runtime. This article has steps for the same.


<?xml version="1.0" encoding="UTF-8"?>
                <rule name="Set PoweredBy Header" preCondition="IsHtml">
                    <match serverVariable="RESPONSE_X_Powered_By" pattern="(.+)" />
                    <action type="Rewrite" value="" />
                    <preCondition name="IsHtml">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />


Hope this helps!

Pingbacks and trackbacks (3)+

Add comment

  • Comment
  • Preview