How to use IIS URL rewrite for ColdFusion to remove Server header and other varibles from Header Response? For IIS (8 and above versions)

Question

As a part of security configuration, we should not be revealing the "Server" variable and other variables in the Header Response. How can I remove these variables for a ColdFusion server hosted on IIS?

Answer 1

1. Download and Install "URL rewrite" from https://www.iis.net/downloads/microsoft/url-rewrite
2. Go to the configured Jakarta folder and add a web.config here. To add a URL rewrite outbound rule to the "Jakarta" virtual directory, we need a web.config. The web.config should have an outbound rule and the variable removal rules mentioned below.

3. Add an outbound rule to web.config, for erasing the server header response value and set it to blank.

   <system.webServer>
       <outboundRules>
         <rule name="Remove Server">
           <match serverVariable="RESPONSE_SERVER" pattern=".*" />
           <action type="Rewrite" />
         </rule>
       </outboundRules>
     </rewrite>
   </system.webServer>
   

4. For server tag value removal for all static files like .css/.js files, add this to web.config:

   <configuration>
     <modules runAllManagedModulesForAllRequests="true">
   </configuration>`
   

5. Add the code below to web.config for removal of X-Powered-By and X-AspNet-Version

   <configuration>
    <httpProtocol>
     <customHeaders>
       <remove name="X-Powered-By" />
       <remove name="Server" />
       <remove name="X-AspNet-Version" />
     </customHeaders>
    </httpProtocol>
   </configuration>
   

6. Convert PortalTools from virtual directory to Application and add the same web.config to the PortalTools folder as well.