Share via

Justification against Server Information Disclosure

Zenith Nandy 65 Reputation points
2025-11-17T12:19:18.8766667+00:00

Our Application is hosted in Azure environment. We had a security scan on our application which has flagged the response header Server: Microsoft-Azure-Application-Gateway/v2 as “Server Information Disclosure,” claiming that exposing “v2” reveals sensitive server details. It says "Server information like the server’s name, version etc. are shown in the response header"

From what I understand, this header is standard for Azure Application Gateway and does not expose any exploitable internal information. So I need a bit detailed justification from your side that I can directly refer to report this finding as invalid, thanks.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
Answer accepted by question author
  1. Vallepu Venkateswarlu 1,145 Reputation points Microsoft External Staff Moderator
    2025-11-17T15:32:03.59+00:00

    Hi @Zenith Nandy

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Application Gateway automatically adds the X-Forwarded-For header to every incoming request before forwarding it to the backend. This header includes a comma-separated list of IP addresses with ports, but some backend applications only require the IP addresses without the port numbers. You can use Header Rewrite to strip the port information. The recommended approach is to rewrite the header using the add_x_forwarded_for_proxy server variable, which inserts only the client IP addresses without ports.

    User's image

    As mentioned in the Application Gateway header rewrite limitations.

    Rewrites aren't supported for 4xx and 5xx responses generated directly from Application Gateway

    Reference: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#limitations

    You may want to remove headers that expose sensitive information in an HTTP response such as backend server details, operating system, or library versions. The Application Gateway allows you to strip these headers for enhanced security. follow the Delete unwanted headers to delete unwanted header information.

    Refer the https://learn.microsoft.com/en-us/answers/questions/1409227/application-gateway-server-information-disclosure which related to same issue

    In addition to your previous question, please see the response below.

    Is it a security vulnerability if I leave the header as-is?

    No — this is not a security vulnerability.

    The header:

    YAML

    Server: Microsoft-Azure-Application-Gateway/v2

    does not expose any sensitive details such as OS version, framework version, internal server configuration, or exploitable information.

    What does “v2” signify, and is it safe for it to appear?

    Yes, it is completely safe.

    The “v2” label simply indicates the generation of the Azure Application Gateway SKU. It does not disclose internal patch levels, component versions, or anything that could assist an attacker.

    Keeping this header unchanged is not a security risk, and the presence of “v2” in the header is fully acceptable and safe.

    Reference: https://learn.microsoft.com/en-us/azure/application-gateway/overview-v2#sku-types

    If it is storing any sensitive information, you can create a rewrite rule to remove or modify the header.

    Reference: https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#limitations

    Kindly let us know if the above helps or you need further assistance on this issue. 

    Please "Accept" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-17T12:19:37.7533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The presence of the Server: Microsoft-Azure-Application-Gateway/v2 header is indeed standard for Azure Application Gateway and is not indicative of a security vulnerability. This header is part of the normal operation of the Application Gateway and serves to identify the service handling the request.

    1. Standard Behavior: The Application Gateway is designed to manage and route traffic efficiently, and the inclusion of the version number (in this case, v2) is a standard practice for many web servers and gateways. It helps in identifying the version of the service being used, which can be useful for troubleshooting and support purposes.
    2. No Sensitive Information: The version number does not disclose any sensitive internal information about the server's configuration, architecture, or vulnerabilities. It does not provide attackers with exploitable information that could lead to a breach or compromise of the application.
    3. Security Best Practices: While it is generally a best practice to minimize the amount of information exposed in HTTP headers, the Azure Application Gateway is designed with security in mind. The information disclosed through this header does not provide an attack vector for potential exploits.
    4. Mitigation Options: If your organization still wishes to reduce the information disclosed in headers, consider implementing a web application firewall (WAF) or using custom headers to mask or modify the default headers. However, this is not typically necessary for the Azure Application Gateway as it is already secure by design.

    In summary, the Server header in this context does not pose a security risk and is a standard part of the Azure Application Gateway's operation. Reporting this finding as invalid is justified based on the above points.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.