Remove HTTP response headers in Windows Server IIS 10 and ASP.NET
Windows Server IIS loves to tell the world that a website runs on IIS. It does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).
Even though I’m not a big fan of security by obscurity (are you?), removing common server response headers is often advised by security experts. Attackers might gain a lot of information about your server and network, just by looking at the response headers a web server returns.
Therefore it’s advised you remove at least some of these headers.
But let’s start with how a normal HTTP HEAD response looks like:
HTTP/1.1 200 OK Content-Length: 0 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Server: Microsoft-IIS/8.0 X-UA-Compatible: IE=Edge,chrome=1 Date: Sun, 06 Jul 2014 10:05:34 GMT Connection: close
Here you notice IIS displaying its version information in a
Server header, as response:
Protip: looking to enable HTTP Strict-Transport-Security (HSTS) on IIS (or more HTTP security headers)?
Unfortunately you cannot really remove the Server header. But you can rewrite its content and empty it. On IIS 7+ (IIS 7, 8.5, 8.0, 8.5, IIS 10.0), use an rewrite outboundRule to remove the web server version information from the
Server: header response.
You can use the following URL Rewrite Outbound rule:
<rewrite> <outboundRules rewriteBeforeCache="true"> <rule name="Remove Server header"> <match serverVariable="RESPONSE_Server" pattern=".+" /> <action type="Rewrite" value="" /> </rule> </outboundRules> </rewrite>
What the outboundRule does is: it looks for the header – or serverVariable –
Server: in the output response stream, and rewrites the value with an empty string (nothing).
The end result is an empty
Server: response header line:
HTTP/1.1 200 OK Content-Length: 0 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Server: X-UA-Compatible: IE=Edge,chrome=1 Date: Sun, 06 Jul 2014 10:06:08 GMT Connection: close
You’ve now successfully removed the
Server version response from the HTTP headers!
This is a website-specific rule. If you want to create the rule for all of your applications, you have to create the rule at the server level. Also, some applications, especially third party applications, may require and depend on the Server header. Then you may need to remove this rule for those applications.
The fun part of rewriting response headers is that you can display your own information string. For example, if you give in an value in the Rewrite action, that message is displayed:
<action type="Rewrite" value="Saotn Server Software systems, LTD." />
HTTP/1.1 200 OK Content-Length: 0 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Server: Saotn Server Software systems, LTD. X-UA-Compatible: IE=Edge,chrome=1 Date: Sun, 06 Jul 2014 11:19:16 GMT Connection: close
Isn’t this fun, now is it? :)
HTTP/1.1 200 OK Content-Length: 0 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Server: X-Powered-By: ASP.NET X-UA-Compatible: IE=Edge,chrome=1 Date: Sun, 06 Jul 2014 10:07:37 GMT Connection: close
This response header can be removed with a customHeaders setting in
web.config, placed in the
<httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol>
X-Powered-By header is removed from the response header output
HTTP/1.1 200 OK Content-Length: 0 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Server: X-UA-Compatible: IE=Edge,chrome=1 Date: Sun, 06 Jul 2014 10:10:02 GMT Connection: close
Protip: learn more about various HTTP security headers.
X-AspNet-Version HTTP Header broadcasts to the world what version of ASP.NET is being used. Add the following content inside the
<system.web> node in your application’s web.config file:
<httpRuntime enableVersionHeader="false" />
In IIS 10.0 (Windows Server 2016/2019), you can remove the Server header by configuring requestFiltering in your
web.config system.webServer node:
<security> <requestFiltering removeServerHeader ="true" /> </security>
This way you don’t have to fiddle with complex outbound rewrite rules.
To remove ASP.NET’s X-Powered-By header you still need the
customHeaders section as mentioned above.
My name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator, doing my daily thing at Vevida.
If you feel a post has helped solve your problem, or has saved you time, please consider making a donation. You can transfer a direct donation through Paypal or via bank wire-transfer IBAN: NL31 ABNA 0432217258 (Jan Reilink). Thanks!