Unable to hide server name in django based website hosted in azure webapp

%3CLINGO-SUB%20id%3D%22lingo-sub-2091770%22%20slang%3D%22en-US%22%3EUnable%20to%20hide%20server%20name%20in%20django%20based%20website%20hosted%20in%20azure%20webapp%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2091770%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22votecell%20post-layout--left%22%3E%3CDIV%20class%3D%22js-voting-container%20grid%20jc-center%20fd-column%20ai-stretch%20gs4%20fc-black-200%22%3E%3CSPAN%3EDjango%20based%20website%20is%20hosted%20in%20azure%20webapp%20(python%203.8).%20As%20part%20of%20the%20security%20measure%2C%20I%20am%20trying%20to%20hide%20the%20server%20name%20from%20the%20response%20header.%20By%20default%2C%20it%20is%20gunicorn%2F20.0.4.%20In%20the%20Django%20app%2C%20I%20have%20implemented%20the%20middleware%20layer%20and%20added%20the%20following%20code%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22js-voting-container%20grid%20jc-center%20fd-column%20ai-stretch%20gs4%20fc-black-200%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-python%22%3E%3CCODE%3Eclass%20testMiddleware%3A%0A%20%20%20%20def%20__init__(self%2C%20get_response)%3A%0A%20%20%20%20%20%20%20%20self.get_response%20%3D%20get_response%0A%0A%20%20%20%20def%20__call__(self%2C%20request)%3A%0A%20%20%20%20%20%20%20%20response%20%3D%20self.get_response(request)%0A%20%20%20%20%20%20%20%20response%5B%22Server%22%5D%20%3D%20%22dummyserver%22%0A%20%20%20%20%20%20%20%20response%5B%22X-XSS-Protection%22%5D%20%3D%201%0A%0A%20%20%20%20%20%20%20%20return%20response%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22postcell%20post-layout--right%22%3E%3CDIV%20class%3D%22s-prose%20js-post-body%22%3E%3CP%3EIn%20the%20local%20env%2C%20this%20setting%20is%20working.%20In%20the%20response%20header%2C%20the%20server%20name%20was%20dummyserver.%20But%20once%20it%20is%20deployed%20in%20the%20Azure%20web%20app%20the%20server%20name%20is%20displayed%20as%20gunicorn%2F20.0.4%20in%20the%20response%20header%2C%20but%20strangely%20the%20other%20setting%20like%20X-XSS-Protection%20is%20working%20as%20expected.%3C%2FP%3E%3CP%3EIt%20looks%20like%20the%20Azure%20web%20app%20by%20default%20replace%20the%20Django%20server%20name.%20Is%20there%20any%20way%20we%20can%20handle%20this%3F%20Thanks%20for%20your%20help.%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CU%3EUpdate%2024%2F01%2F2021%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EI%20tried%20this%20option%20also%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F16010565%2Fhow-to-prevent-gunicorn-from-returning-a-server-http-header%2F21294524%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fstackoverflow.com%2Fquestions%2F16010565%2Fhow-to-prevent-gunicorn-from-returning-a-server-http-header%2F21294524%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20once%20deployed%20it%20didn't%20resolve%20the%20problem.%3C%2FP%3E%3CP%3Eadd%20the%20gunicorn.SERVER_SOFTWARE%20%3D%20%22dummyserver%22%20but%20didn't%20worked%20out%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-python%22%3E%3CCODE%3Eimport%20gunicorn%0A%0Aclass%20testMiddleware%3A%0A%20%20%20%20def%20__init__(self%2C%20get_response)%3A%0A%20%20%20%20%20%20%20%20self.get_response%20%3D%20get_response%0A%0A%20%20%20%20def%20__call__(self%2C%20request)%3A%0A%20%20%20%20%20%20%20%20response%20%3D%20self.get_response(request)%0A%20%20%20%20%20%20%20%20response%5B%22Server%22%5D%20%3D%20%22dummyserver%22%0A%20%20%20%20%20%20%20%20response%5B%22X-XSS-Protection%22%5D%20%3D%201%0A%20%20%20%20%20%20%20%20gunicorn.SERVER_SOFTWARE%20%3D%20%22dummyserver%22%0A%0A%20%20%20%20%20%20%20%20return%20response%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor
Django based website is hosted in azure webapp (python 3.8). As part of the security measure, I am trying to hide the server name from the response header. By default, it is gunicorn/20.0.4. In the Django app, I have implemented the middleware layer and added the following code
 

 

class testMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        response = self.get_response(request)
        response["Server"] = "dummyserver"
        response["X-XSS-Protection"] = 1

        return response

 

In the local env, this setting is working. In the response header, the server name was dummyserver. But once it is deployed in the Azure web app the server name is displayed as gunicorn/20.0.4 in the response header, but strangely the other setting like X-XSS-Protection is working as expected.

It looks like the Azure web app by default replace the Django server name. Is there any way we can handle this? Thanks for your help.

Update 24/01/2021

I tried this option also

 

 

https://stackoverflow.com/questions/16010565/how-to-prevent-gunicorn-from-returning-a-server-http-he...

 

But once deployed it didn't resolve the problem.

add the gunicorn.SERVER_SOFTWARE = "dummyserver" but didn't worked out

 

 

import gunicorn

class testMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        response = self.get_response(request)
        response["Server"] = "dummyserver"
        response["X-XSS-Protection"] = 1
        gunicorn.SERVER_SOFTWARE = "dummyserver"

        return response

 

0 Replies