Remove Microsoft-HTTPAPI/2.0 from the response header Server (Self-hosted Http.Sys)

Question

How do i suppress or remove the HTTP response header 'Server: Microsoft-HTTPAPI/2.0'? Penetration testing has revealed that it is a security vulnerability to disclose the server platform.

I have a self-hosted asp.net core web application running on Windows Server 2019 and am using Http.Sys instead of Kestrel since I need NTML authentication.

According to Microsoft, the response header can be turned off via the registry, but it does not work for me. I have set the DisableServerHeader to 2 in the registry per HTTP.SYS registry settings and rebooted the server.

1. If I do not add a response header, it will be added automatically. Server: Microsoft-HTTPAPI/2.0
2. If I add a response header, the value will be added automatically. Server: my-dumy-value Microsoft-HTTPAPI/2.0

Update, I found the issue! I failed to enter the parameter name correctly, a traling space was revealed when I exported the key. It works as expected after removing the space and rebooting the server.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader "=dword:00000002

Answer 1

There seems to be no code solution to remove the HTTP header from the server on the host. One solution is to edit the Windows registry.

You can add a registry value so HTTP.sys doesn't include the header.

1. Open Regedit
2. Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
3. If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
4. Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"

Reference docs: Http.sys registry settings for Windows