Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Remove Server Response Header IIS 8.0 / 8.5

How can we remove the server header response in IIS 8.0/8.5?
My current server report: Microsoft-IIS/8.0 Microsoft-IIS/8.5
For IIS 7.0 I used the URLScan 3.1 however this is only supported for IIS 7.0 and not 8.x

like image 657
BastianW Avatar asked Mar 14 '14 09:03

BastianW


People also ask

How do I remove a response header?

Open the site which you would like to open and then click on the HTTP Response Headers option. Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response.

Should I remove Server header?

Removing the Server: header is a security by obscurity action, and an almost entirely ineffective one. But if it makes you feel better, or you're being told to do it by your boss or an auditor, go for it.

How to remove the server HTTP response header in IIS?

As with removing ETag headers in IIS, you can rewrite and empty the Server: HTTP response header in IIS with a URL Rewrite outboundRule. Remove Server response header with an outboundRule URL Rewrite rule. Unfortunately you cannot really remove the Server header. But you can rewrite its content and empty it.

How to remove the web server version from the header response?

On IIS 7+ (IIS 7, 8.5, 8.0, 8.5, IIS 10.0), use an rewrite outboundRule to remove the web server version information from the Server: header response.

What is redirectheaders in IIS 7?

The <redirectHeaders> element specifies a collection of custom HTTP headers that Internet Information Services (IIS) 7 will add to HTTP redirects. HTTP headers are name and value pairs that are returned in responses from a Web server.

How do I install or uninstall IIs 8 5?

Install IIS 8.5 using the Server Manager. Server Manager provides a single dashboard to install or uninstall server roles, role services, and features. Server Manager also gives an overview of all currently installed roles and features.


2 Answers

There is another solution and in my opinion this solution is the best and safe.

You can use UrlRewrite module created by the Microsoft. The Url Rewrite module redirects your url and can also change your IIS server name in the response header.

You don't have to use redirect property. You can use just change the Server header value.

Here are the steps:

  1. First, download UrlRewrite module from this link: http://www.iis.net/downloads/microsoft/url-rewrite and install it on your IIS server. After that, restart IIS by this command on cmd console

    iisreset /restart 
  2. Add the following item to the your web config file under the <system.WebServer> tag. You can write anything to the Value item as server name.

    enter image description here

  3. Finally we changed the IIS version name on the data's header. Restart IIS again. via cmd console.

  4. Bonus: If you want to test your website to see if it is working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/

PS: I tested it and it worked for me on the IIS server. Not on the has been created temproray IIS server by the Visual studio.

like image 183
Mahmut EFE Avatar answered Oct 08 '22 12:10

Mahmut EFE


It is possible now to remove Server header from web.config starting from IIS 10.0 :

<security>   <requestFiltering removeServerHeader ="true" /> </security> 

More details on how to remove all unwanted/unnecessary headers can be found here.

Please note that this hides server header from the "application", as do all the other approaches. If you e.g. reach some default page or an error page generated by the IIS itself or ASP.NET outside your application these rules won't apply. So ideally they should be on the root level in IIS and that sill may leave some error responses to the IIS itself.

Note there is a bug in IIS 10 that makes it sometimes show the header even with the modified config prior to 2019.1C. It should be fixed by now, but IIS/Windows has to be updated.

like image 38
Ilya Chernomordik Avatar answered Oct 08 '22 10:10

Ilya Chernomordik