IIS Path disclosure
Description
The web server is configured to include the "X-SourceFiles" HTTP response header, which discloses the full physical file system path of the application source code file that generated the response. This header is typically added by IIS during development or debugging and should not be present in production environments.
Remediation
Remove the "X-SourceFiles" header from HTTP responses by disabling debug mode and ensuring proper production configuration in IIS. This can be accomplished through the following steps:
1. Open IIS Manager and navigate to your application
2. Select "HTTP Response Headers"
3. Remove any custom "X-SourceFiles" header if present
4. Ensure the application is not running in debug mode by verifying the web.config file contains:
<configuration>
<system.web>
<compilation debug="false" />
</system.web>
</configuration>5. Alternatively, add a custom outbound rule in web.config to explicitly remove this header:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-SourceFiles" />
</customHeaders>
</httpProtocol>
</system.webServer>After making changes, restart the application pool and verify the header is no longer present in responses.