Sysadmins of the North

Technical blog, where topics include: computer, server, web, sysadmin, MySQL, database, virtualization, optimization and security

Remove IIS Server version HTTP Response Header

How to remove HTTP response headers in IIS 7, 7.5, 8.0, 8.5, and ASP.NET. Windows Server IIS loves to tell the world that a website runs on IIS, it does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).

Microsoft Internet Information Services logo
Microsoft Internet Information Services

Normal HTTP Response headers

Even though I’m not a big fan of security by obscurity (are you?), removing common server response headers is often advised by security experts. Attackers might gain a lot of information about your server and network, just by looking at the response headers a web server returns.

Therefore it’s advised you remove at least some of them.

This is what a normal HTTP HEAD response looks like:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:05:34 GMT
Connection: close

And here you’ll notice IIS displaying its version information in a Server header, as response:

Server: Microsoft-IIS/8.0

As with removing ETag headers in IIS, you can rewrite and empty the Server: HTTP response header in IIS with a URL Rewrite outboundRule.

Remove Server response header with an outboundRule URL Rewrite rule

Unfortunately you cannot really remove the Server header. But you can rewrite its content and empty it.
On IIS 7+ (IIS 7, 8.5, 8.0, 8.5), use an rewrite outboundRule to remove the web server version information from the Server: header response.

You can use the following URL Rewrite Outbound rule:

<rewrite>    
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_Server" pattern=".+" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>

What the outboundRule does is: it looks for the header – or serverVariable – Server: in the output response stream, and rewrites the value with an empty string (nothing).

This may interest you:   RewriteProxy with .htaccess in IIS

The end result is an empty Server: response header line:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:06:08 GMT
Connection: close

You’ve now successfully removed the Server version response from the HTTP headers!

This is a website-specific rule. If you want to create the rule for all of your applications, you have to create the rule at the server level. Also, some applications, especially third party applications, may require and depend on the Server header. Then you may need to remove this rule for those applications.

Rewrite ‘Server: Microsoft-IIS/8.0’ with your own server information – just for the fun

The fun part of rewriting response headers is that you can display your own information string. For example, if you give in an value in the Rewrite action, that message is displayed:

<action type="Rewrite" 
  value="Saotn Server Software systems, LTD." />
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Saotn Server Software systems, LTD.
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 11:19:16 GMT
Connection: close

Fun, heh :)

Remove X-Powered-By header in IIS using web.config customHeaders

By default IIS tells the world it’s powered by ASP.NET, by placing an X-Powered-By header:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-Powered-By: ASP.NET
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:07:37 GMT
Connection: close

This response header can be removed with a customHeaders setting in web.config, placed in the <system.webServer> node:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

Now the X-Powered-By header is removed from the response header output

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:10:02 GMT
Connection: close

X-AspNet-Version header

The X-AspNet-Version HTTP Header broadcasts to the world what version of ASP.NET is being used. Add the following content inside the <system.web> node in your application’s web.config file:

<httpRuntime
  enableVersionHeader="false" />

Remove HTTP headers in Global.asax

ASP.NET programmers may also remove or change server HTTP response headers through a global.asax file In your global.asax.cs add this:

This may interest you:   5 Extra ways to clean up disk space in Windows Server

See the #Protip below for why not to use this code with managed modules that implement IHttpModule:

protected void Application_PreSendRequestHeaders()
{
  // Response.Headers.Remove("Server");
  Response.Headers.Set("Server","My httpd server");
  Response.Headers.Remove("X-AspNet-Version");
  Response.Headers.Remove("X-AspNetMvc-Version");
}

ProTip:┬átaken from Ilya Grebnov’s post edit on StackOverflow:

You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.

protected void Application_BeginRequest(object sender, EventArgs e)
{
  var application = sender as HttpApplication;
  if (application != null && application.Context != null)
  {
    application.Context.Response.Headers.Remove("Server");
  }
}

To remove X-AspNetMvc-Version in your Global.asax file, create/find the Application_Start event and add a line as follows:

protected void Application_Start()
{
  MvcHandler.DisableMvcResponseHeader = true;
}

Azure: How to remove ‘Server’ and ‘X-Powered-By’ response headers from your Azure websites

You can now hide the Server and X-Powered-By headers by adding an entry to your web.config system.webServer node:

<security>
  <requestFiltering removeServerHeader ="true" />
</security>

34 Comments

  1. Thanks Jan. Great article i removed iis server headers successfully.

  2. To remove all instances of the header (incl. on 404, etc. responses) or for self hosted services:
    https://blogs.msdn.microsoft.com/dsnotes/2017/12/18/wswcf-remove-server-header/

  3. Hi,

    I am getting the Server Name as “Microsoft-IIS/8.5” even after rewriting the server name as “” in the Error pages. Following is the web.config code:

    • Hi Ankit,

      Unfortunately your web.config code got lost in the comment. But what do you mean with “in the Error pages”, like the default IIS error pages located in C:\inetpub\custerr\en-US? Or somewhere else? Perhaps you have to use existingResponse=passthrough too? See the other comments.

      • Hi Jan,

        I am redirecting the error to the custom error pages like

        and I am using the following to remove/rename the Server Name:

        But, then also Server Name is coming in the custom error pages. How to remove the server name from the custom error pages?

        • Hi Ankit,
          Your code isn’t coming through, please use a gist if possible and link to there, or wrap your code nicely in `<code></code>` tags.

          • Hi Jan,

            Thanks for the advice. I hope this time my code is visible.

            I am developing a mobile friendly application using MEAN. So. my issue is that I want to remove/hide/rename the Server Name from all the pages. I am able to do so in all the pages except the custom error pages. I am redirecting the error to the custom error pages like:

            and I am using the following to remove/rename the Server Name:

            But, then also Server Name is coming in the custom error pages. How to remove the server name from the custom error pages?

          • Hi Jan,

            Actually, the issue is that the server name is visible in the HTTP Headers. Using the outbound rule in web.config, the server name is removed from the web pages but it is not removed from the custom error pages to which I am redirecting. I have also used errorMode=”Custom” existingResponse=”PassThrough” but it’s still coming.

  4. When I used below code

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
    var application = sender as HttpApplication;
    if (application != null && application.Context != null)
    {
    application.Context.Response.Headers.Remove(“Server”);
    }
    }
    Then I am getting following error.
    Error: This operation requires IIS integrated pipeline mode

    More Info: I am using IIS 10, website hosting as Application and Application pool as Classic mode. If I changed to Integrated mode then working fine. But right now I can not change to this on Production environment because it may create other issue.

    So, can you please suggest best solution in this situation.

    • Hi Rikin, thank you for your comment!

      I’m not a fan of Classic mode application pools. Why would you want to have IIS 6.0 behaviour? I’d say, fix the problems you have switching to Integrated mode, and move on from there turning off response headers. If Integrated mode is really not an option, try to use web.config settings to disable headers.

      HTH!

  5. Thanks for the help!

  6. I also have a rule that redirects http requests to https. But the redirect sends back all headers, including the Server: header. This is the http rule:

    This is from the Microsoft URL Rewrite reference page:

    Usage of a Redirect action implies that no subsequent rules evaluated for the current URL after redirection is performed.

    Is there any way to remove the server header on a redirect?

  7. I am using IIS 8.5 and whenever I attempt to use in my web.config IIS does not like it. I’ve seen that this only works on IIS7 or other versions. Is there a workaround or other method to remove the ASP version?

  8. Removing the server variable from response using url rewrite outbound rules is not working . application is angular 4 application and My server is windows 8 with iis 8.5 and I have my web.config data as shown below .

  9. what is the impact,if application caching having both
    Custom HTTP Response Header +set common HTTP response header

  10. Hi, great article, but I’ve got question/problem..

    At the first glance all seems be well, I receive modified http headers, but when I send request to doesn’t exists page (and server will return 404 webpage) server name is ‘IIS 8.5’ in the HTTP headers..

    I found what is a problem – custom error pages.

    When I remove httpErrors elements from web.config, Server Name header isn’t display in HTTP headers (in both cases – correct/incorrect webpage url).

    How can I fix it ? (I want to have custom error pages and remove Server Name header..)

    Regards
    AErot

  11. We have tried it. But it doen’t work. Probably because of this line (MVC…): routes.IgnoreRoute(“{resource}.axd/{*pathInfo}”);

  12. Thanks for the answer, do you have any idea how to fix this?

  13. I’ve a issue with the solution.
    I can do a request to /blalbla.axd (every name possible) and then the “Server” variable will have a value…

    • Hi Ansonmus, thanks for your comment.
      The .axd file type is handled by the .NET Framework and often falls beyond the scope of URL Rewrite.

  14. This article was very helpful. The $2 donation is worth it.

  15. Is there any way to completely remove “Server: Microsoft-IIS/8.0” from a site having static pages only like ?

    • Hi Kunal, thank you for your comment.
      An IIS Outbound Rule rewrites the output stream (HTTP response), so it’ll also remove the Server header from static HTML files.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

shares