Question

How to validate that X-*-* headers are not included in the server response?

Answer

Header removal is done by implementing the changes to web.config files corresponding to the required web application. Therefore, if header removal was performed for the Web Verification Stations only, the validation should be performed for the http://<server name>/FlexiCapture12/Verification/ URL.

In order to validate if the headers were removed from the server response, check this either through the vulnerabilities monitoring tool where the report was generated or by accessing the corresponding URL in the browser.

For example, if headers are disabled for the Login page, check the Network tab in the browser's developer's tools when accessing http://localhost/FlexiCapture12/Login. The necessary headers will be shown in the response headers section accordingly:

Additional information

Securing your IIS server