Strip version disclosures from response headers

[jfrank-nih]

Response headers for certain pages contain information about the IIS and ASP.NET versions used. NCI recommendations are to suppress version information in responses.

Issue

URL: https://www-test-acsf.cancer.gov/Common/PopUps/popHelp.html
Response Headers: server contains the IIS version

URL: https://www-test-acsf.cancer.gov/Common/PopUps/popDefinition.aspx?id=CDR0000045849&language=English&version=Patient
Response Headers: server contains the IIS version and x-aspnet-version contains software version

Remedy

Remove the offending headers.

[jfrank-nih]

@blairlearn, we could bug the hosting team, or... everything passes through Akamai from the origin, correct? In which case we could strip out headers there.

[blairlearn]

Unfortunately, prior to IIS 10, there's no ability to remove the server header.
Possibly the x-aspnet-version header.

[jfrank-nih]

Fair enough. But could we remove with Akamai?

[blairlearn]

No, this isn't a problem in CGDP, it shows up there because of how things are mapped through Akamai. The correct fix is to address it in dynamic services. (Which is where I'll be moving this ticket momentarily.)