How to remove HTTP response headers in IIS 7, 7.5, 8.0, 8.5, and ASP.NET. Windows Server IIS loves to tell the world that a website runs on IIS, it does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).
Table of Contents
Normal HTTP Response headers
Even though I’m not a big fan of security by obscurity (are you?), removing common server response headers is often advised by security experts. Attackers might gain a lot of information about your server and network, just by looking at the response headers a web server returns.
Therefore it’s advised to remove at least some of them.
This is what a normal HTTP HEAD response looks like:
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:05:34 GMT
Connection: closeAnd here IIS displays its version information in a Server header as response:
Server: Microsoft-IIS/8.0As with removing ETag headers in IIS, you can rewrite and empty the Server: HTTP response header in IIS with a URL Rewrite outboundRule.
Remove Server response header with an outboundRule URL Rewrite rule
On IIS 7+ (IIS 7, 8.5, 8.0, 8.5), you can use a rewrite to remove the Server: header from the response.
You can use the following URL Rewrite Outbound rule:
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>What the outboundRule does is: it looks for the header – or serverVariable – Server: in the output response stream, and rewrites the value with an empty string (nothing).
The end result is an empty Server: response header line:
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:06:08 GMT
Connection: closeYou’ve now successfully removed the Server response header!
This is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third party applications, may require the Server header, so you may need to remove this rule for those applications.
Rewrite Server: Microsoft-IIS/8.0 with your own information – just for the fun
The fun part of rewriting response headers is that you can display your own string, for example by giving in an value in the Rewrite action, that message is displayed:
<action type="Rewrite"
value="Saotn Server Software systems, LTD." />HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Saotn Server Software systems, LTD.
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 11:19:16 GMT
Connection: closeFun, heh :)
Remove X-Powered-By header in IIS using web.config customHeaders
By default IIS tells the world it’s powered by ASP.NET, by placing an X-Powered-By header:
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-Powered-By: ASP.NET
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:07:37 GMT
Connection: closeThis response header can be removed with a customHeaders setting in web.config, placed in the <system.webServer> node:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>Now the X-Powered-By header is removed from the response header output
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:10:02 GMT
Connection: closeX-AspNet-Version header
The X-AspNet-Version HTTP Header broadcasts to the world what version of ASP.NET is being used. Add the following content inside the <system.web> node in your application’s web.config file:
<httpRuntime
enableVersionHeader="false" />Remove HTTP headers in Global.asax
ASP.NET programmers may also remove or change server HTTP response headers through a global.asax file In your global.asax.cs add this:
See the #Protip below for why not to use this code with managed modules that implement IHttpModule:
protected void Application_PreSendRequestHeaders()
{
// Response.Headers.Remove("Server");
Response.Headers.Set("Server","My httpd server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}Pro Tip: an update, taken from Ilya Grebnov’s post edit on StackOverflow:
You can use the
PreSendRequestHeadersandPreSendRequestContextevents with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.
protected void Application_BeginRequest(object sender, EventArgs e)
{
var application = sender as HttpApplication;
if (application != null && application.Context != null)
{
application.Context.Response.Headers.Remove("Server");
}
}To remove X-AspNetMvc-Version in your Global.asax file, create/find the Application_Start event and add a line as follows:
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
Azure: Remove ‘Server’ And ‘X-Powered-By’ headers from your Azure websites
You can now hide the Server and X-Powered-By headers by adding an entry to your web.config system.webServer node:
<security>
<requestFiltering removeServerHeader ="true" />
</security>Extra IIS security measurements
For a safe website it’s important to take extra security measures, whether you host your website on Windows Server IIS, Linux Apache or Nginx. Below you’ll find some tips to tighten your website’s security.
- HackRepair.com's Bad Bots .htaccess translated to web.config, for IIS
- enable HSTS Strict-Transport-Security header in IIS
- How to remove IIS Server header
- Add SSL in WordPress. See my WordPress web.config for more information & examples
- Use .htaccess as a Web Application Firewall (WAF – 7 tips!), or filter web traffic with blacklists
- Also, don’t forget to secure the WordPress uploads folder by disabling PHP execution!
If you have a valuable tip, please let met know and drop me a comment.
Is there any way to completely remove “Server: Microsoft-IIS/8.0” from a site having static pages only like ?
0
0
Hi Kunal, thank you for your comment.
An IIS Outbound Rule rewrites the output stream (HTTP response), so it’ll also remove the Server header from static HTML files.
0
0
This article was very helpful. The $2 donation is worth it.
0
0
Thank you very much, much appreciated! :)
0
0
I’ve a issue with the solution.
I can do a request to /blalbla.axd (every name possible) and then the “Server” variable will have a value…
0
0
Hi Ansonmus, thanks for your comment.
The
.axdfile type is handled by the .NET Framework and often falls beyond the scope of URL Rewrite.0
0
Thanks for the answer, do you have any idea how to fix this?
0
0
Have you tried the
global.asax(.cs)option?0
0
We have tried it. But it doen’t work. Probably because of this line (MVC…): routes.IgnoreRoute(“{resource}.axd/{*pathInfo}”);
0
0
Hi, great article, but I’ve got question/problem..
At the first glance all seems be well, I receive modified http headers, but when I send request to doesn’t exists page (and server will return 404 webpage) server name is ‘IIS 8.5’ in the HTTP headers..
I found what is a problem – custom error pages.
When I remove httpErrors elements from web.config, Server Name header isn’t display in HTTP headers (in both cases – correct/incorrect webpage url).
How can I fix it ? (I want to have custom error pages and remove Server Name header..)
Regards
AErot
0
0
Hi @disqus_E1570bwNoJ:disqus , thank you for your comment. Interesting… What are you using, PHP or ASP.NET, and which solution do you use to remove the Server: header? It might be a .NET Framework thingy.
0
0
Hi Jan R, thanks for quick response. I use your method: URL Rewrite Module Outbound Rule on IIS8. Actually I created topic on forums.iis.net ( http://forums.iis.net/t/1233506.aspx?How+to+remove+Server+Name+Microsoft+IIS+8+5+from+HTTP+headers+ ) (where is my config file), but I have not received accurate answer yet.
I’m still looking for help..
Regards
AErot
0
0
I’ve seen your web.config in that thread. Maybe you have to add
existingResponse=to your custom httpErrors node? See http://stackoverflow.com/a/31041696/1297898 for more information.0
0
Bullseye! It looks like it’s working with Passthrough :) I must think about error page in ASP.NET. Thx!
Best
AErot
0
0
Nice find @disqus_E1570bwNoJ:disqus , if you have the relevant
web.configlines for me (and the scripting language you use: ASP.NET, PHP or ASP), I can add it to this post. Thanks in advance!0
0
Hi,
When i set the existingResponse=passthrough, the server information is not displayed for the 404 status code but my custom error pages defined in IIS stopped working. Is there any workaround for this?
0
0
what is the impact,if application caching having both
Custom HTTP Response Header +set common HTTP response header
0
0