Remove IIS Server version HTTP Response Header


GamesGames

Remove HTTP response headers in Windows Server IIS 10 and ASP.NET because Windows Server IIS loves to tell the world that a website runs on IIS. It does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).

Normal HTTP Response headers

Microsoft Internet Information Services logo
Microsoft Internet Information Services

Even though I’m not a big fan of security by obscurity (are you?), removing common server response headers is often advised by security experts. Attackers might gain a lot of information about your server and network, just by looking at the response headers a web server returns.

Therefore it’s advised you remove at least some of these headers.

But let’s start with how a normal HTTP HEAD response looks like:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:05:34 GMT
Connection: closeCode language: HTTP (http)

Here you notice IIS displaying its version information in a Server header, as response:

Server: Microsoft-IIS/8.0Code language: HTTP (http)

As with removing ETag headers in IIS, you can rewrite and empty the Server: HTTP response header in IIS with a URL Rewrite Module outboundRule.

Looking to enable HTTP Strict-Transport-Security (HSTS) on IIS (or more HTTP security headers)?

Are you looking for rock solid, eco-friendly, Windows hosting? Look no further! UmbHost got you covered, offering hosting services for websites and businesses of all sizes.

Remove Server response header with an outboundRule URL Rewrite rule

Unfortunately you cannot really remove the Server header. But you can rewrite its content and empty it. On IIS 7+ (IIS 7, 8.5, 8.0, 8.5, IIS 10.0), use an rewrite outboundRule to remove the web server version information from the Server: header response.

You can use the following URL Rewrite Outbound rule:

<rewrite>    
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_Server" pattern=".+" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>Code language: HTML, XML (xml)

What the outboundRule does is: it looks for the header – or serverVariable – Server: in the output response stream, and rewrites the value with an empty string (nothing).

The end result is an empty Server: response header line:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:06:08 GMT
Connection: closeCode language: HTTP (http)

You’ve now successfully removed the Server version response from the HTTP headers!

This is a website-specific rule. If you want to create the rule for all of your applications, you have to create the rule at the server level. Also, some applications, especially third party applications, may require and depend on the Server header. Then you may need to remove this rule for those applications.

Rewrite ‘Server: Microsoft-IIS/8.0’ with your own server information – just for the fun

The fun part of rewriting response headers is that you can display your own information string. For example, if you give in an value in the Rewrite action, that message is displayed:

<action type="Rewrite" 
  value="Saotn Server Software systems, LTD." />Code language: HTML, XML (xml)
HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Saotn Server Software systems, LTD.
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 11:19:16 GMT
Connection: closeCode language: HTTP (http)

Isn’t this fun, now is it? :)

Remove ASP.NET X-Powered-By header in IIS using web.config customHeaders

By default IIS tells the world it’s powered by ASP.NET, by placing an X-Powered-By header:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-Powered-By: ASP.NET
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:07:37 GMT
Connection: closeCode language: HTTP (http)

This response header can be removed with a customHeaders setting in web.config, placed in the <system.webServer> node:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>Code language: HTML, XML (xml)

Now the X-Powered-By header is removed from the response header output

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:10:02 GMT
Connection: closeCode language: HTTP (http)

learn more about various HTTP security headers.

X-AspNet-Version header

The X-AspNet-Version HTTP Header broadcasts to the world what version of ASP.NET is being used. Add the following content inside the <system.web> node in your application’s web.config file:

<httpRuntime
  enableVersionHeader="false" />Code language: HTML, XML (xml)

removeServerHeader requestFiltering in IIS 10.0

In IIS 10.0 (Windows Server 2016/2019), you can remove the Server header by configuring requestFiltering in your web.config system.webServer node:

<security>
  <requestFiltering removeServerHeader ="true" />
</security>Code language: HTML, XML (xml)

Or in IIS Manager’s Configuration Editor:

Set removeServerHeader to True in IIS Configuration Manager requestFiltering node.

This way you don’t have to fiddle with complex outbound rewrite rules. To remove ASP.NET’s X-Powered-By header you still need the customHeaders section as mentioned above.

Protip: Donate $10, 20 or 30 through Paypal (or see my donate page) and support this site. Thank you <3

foto van Jan Reilink

About the author

Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator, doing my daily SysOps/DevOps thing at cldin. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

0 0 votes
Article Rating
Subscribe
Notify of
47 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ketan
1 year ago

It will not work after reloading a page. It will give IIS version after reloading or refreshing a page.
Please go for link it will work like charm.
https://stackoverflow.com/questions/22401219/remove-server-response-header-iis-8-0-8-5

chandu
2 years ago

Hi
if i will send wrong request the server version is showing like below .

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 27 Apr 2020 09:57:10 GMT
Connection: close

How to remove Server: Microsoft-HTTPAPI/2.0
Content-Length: 334

nikko
2 years ago

Hi,
We’re using URL Rewrite Outbound rule to clear the value of the Server header and it works when using GET or POST, but when we use HEAD method is would still show IIS 8.5.
Any ideas why? The only difference I see is that we’re not using “rewriteBeforeCache=true”. Could that be the issue?

hamza Zuheri
3 years ago

I want to remove the text/html on response after sending the request to client as text/xml

3 years ago

Hi, How to remove the Response Server for the error 500?

basavraj
3 years ago

Hello Jan,
I am looking to implement this changes for my application which is running on windows server..
Could you please help to share exact file name where I need to add above rewrite rule on window server
reason why am asking as I have implemented same fix for removing server information for port 47001 and 5985 but this is something not working for 8080 port number. It was added in web.conf file and below is response message for 8080 port

shailavb
3 years ago

amazing man thanks a lot!!

Marq
4 years ago

Good day all, I am running into a problem: I succesfully created an Outbound Rule in IIS that rewrites the server header to “This is a Web Server” instead of Microsoft-IIS/7.5. However, after this the Active Directory Single Sign On is no longer working for the users. Is there another option that does not interfere with Single Sign On? It seems the server header is being used by Active Directory to authenticate. All ideas welcome!

4 years ago

How do you remove-unwanted-http-response-headers if you’re using adfs 3.0 since it’s not using iis?

4 years ago

Thanks Jan. Great article i removed iis server headers successfully.

Ulli
4 years ago

To remove all instances of the header (incl. on 404, etc. responses) or for self hosted services:
https://blogs.msdn.microsoft.com/dsnotes/2017/12/18/wswcf-remove-server-header/

Ankit
4 years ago

Hi,

I am getting the Server Name as “Microsoft-IIS/8.5” even after rewriting the server name as “” in the Error pages. Following is the web.config code:

Ankit
Reply to  Jan Reilink
4 years ago

Hi Jan,

I am redirecting the error to the custom error pages like

and I am using the following to remove/rename the Server Name:

But, then also Server Name is coming in the custom error pages. How to remove the server name from the custom error pages?

Ankit
Reply to  Jan Reilink
4 years ago

Hi Jan,

Thanks for the advice. I hope this time my code is visible.

I am developing a mobile friendly application using MEAN. So. my issue is that I want to remove/hide/rename the Server Name from all the pages. I am able to do so in all the pages except the custom error pages. I am redirecting the error to the custom error pages like:

and I am using the following to remove/rename the Server Name:

But, then also Server Name is coming in the custom error pages. How to remove the server name from the custom error pages?

ANKIT
Reply to  Jan Reilink
4 years ago

Hi Jan,

Actually, the issue is that the server name is visible in the HTTP Headers. Using the outbound rule in web.config, the server name is removed from the web pages but it is not removed from the custom error pages to which I am redirecting. I have also used errorMode=”Custom” existingResponse=”PassThrough” but it’s still coming.

Rikin Patel
4 years ago

When I used below code

protected void Application_BeginRequest(object sender, EventArgs e)
{
var application = sender as HttpApplication;
if (application != null && application.Context != null)
{
application.Context.Response.Headers.Remove(“Server”);
}
}
Then I am getting following error.
Error: This operation requires IIS integrated pipeline mode

More Info: I am using IIS 10, website hosting as Application and Application pool as Classic mode. If I changed to Integrated mode then working fine. But right now I can not change to this on Production environment because it may create other issue.

So, can you please suggest best solution in this situation.

Anonymous
4 years ago

Thanks for the help!

4 years ago

I also have a rule that redirects http requests to https. But the redirect sends back all headers, including the Server: header. This is the http rule:

This is from the Microsoft URL Rewrite reference page:

Usage of a Redirect action implies that no subsequent rules evaluated for the current URL after redirection is performed.

Is there any way to remove the server header on a redirect?

5 years ago

I am using IIS 8.5 and whenever I attempt to use in my web.config IIS does not like it. I’ve seen that this only works on IIS7 or other versions. Is there a workaround or other method to remove the ASP version?

Reply to  Pablo
5 years ago

looks like it removed my code ” ” in my comment above

Reply to  Pablo
5 years ago

one more try httpRuntime enableVersionHeader “false”

Nishant
5 years ago

Removing the server variable from response using url rewrite outbound rules is not working . application is angular 4 application and My server is windows 8 with iis 8.5 and I have my web.config data as shown below .

PRS
6 years ago

what is the impact,if application caching having both
Custom HTTP Response Header +set common HTTP response header

AErot
6 years ago

Hi, great article, but I’ve got question/problem..

At the first glance all seems be well, I receive modified http headers, but when I send request to doesn’t exists page (and server will return 404 webpage) server name is ‘IIS 8.5’ in the HTTP headers..

I found what is a problem – custom error pages.

When I remove httpErrors elements from web.config, Server Name header isn’t display in HTTP headers (in both cases – correct/incorrect webpage url).

How can I fix it ? (I want to have custom error pages and remove Server Name header..)

Regards
AErot

Reply to  AErot
6 years ago

Hi @disqus_E1570bwNoJ:disqus , thank you for your comment. Interesting… What are you using, PHP or ASP.NET, and which solution do you use to remove the Server: header? It might be a .NET Framework thingy.

AErot
Reply to  Jan R
6 years ago

Hi Jan R, thanks for quick response. I use your method: URL Rewrite Module Outbound Rule on IIS8. Actually I created topic on forums.iis.net ( http://forums.iis.net/t/1233506.aspx?How+to+remove+Server+Name+Microsoft+IIS+8+5+from+HTTP+headers+ ) (where is my config file), but I have not received accurate answer yet.

I’m still looking for help..

Regards
AErot

Reply to  AErot
6 years ago

I’ve seen your web.config in that thread. Maybe you have to add existingResponse= to your custom httpErrors node? See http://stackoverflow.com/a/31041696/1297898 for more information.

AErot
Reply to  Jan R
6 years ago

Bullseye! It looks like it’s working with Passthrough :) I must think about error page in ASP.NET. Thx!

Best
AErot

Reply to  AErot
6 years ago

Nice find @disqus_E1570bwNoJ:disqus , if you have the relevant web.config lines for me (and the scripting language you use: ASP.NET, PHP or ASP), I can add it to this post. Thanks in advance!

Vijaikanth N
Reply to  Jan R
6 years ago

Hi,

When i set the existingResponse=passthrough, the server information is not displayed for the 404 status code but my custom error pages defined in IIS stopped working. Is there any workaround for this?

Ansonmus
6 years ago

We have tried it. But it doen’t work. Probably because of this line (MVC…): routes.IgnoreRoute(“{resource}.axd/{*pathInfo}”);

Ansonmus
6 years ago

Thanks for the answer, do you have any idea how to fix this?

Ansonmus
6 years ago

I’ve a issue with the solution.
I can do a request to /blalbla.axd (every name possible) and then the “Server” variable will have a value…

6 years ago

This article was very helpful. The $2 donation is worth it.

Kunal Maurya
7 years ago

Is there any way to completely remove “Server: Microsoft-IIS/8.0” from a site having static pages only like ?

Reply to  Kunal Maurya
7 years ago

Hi Kunal, thank you for your comment.
An IIS Outbound Rule rewrites the output stream (HTTP response), so it’ll also remove the Server header from static HTML files.

47
0
Would love your thoughts, please comment.x
()
x