Excessive headers

You probably gonna find this issue in your manual browsing and spidering phase of your assessment and when performing the Fingerprint Web Server (Passive) and Fingerprint Web Server (Active) Tests.

Burp Suite Example

Nikto Example

Server: Microsoft-IIS/8.5
Retrieved x-aspnet-version header: 2.0.50727


By default, excessive information about the server and frameworks used by website / web application are returned in the response headers.
These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers.


Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.