Menu
How can we remove the server header response in IIS 8.0/8.5?
My current server report: Microsoft-IIS/8.0 Microsoft-IIS/8.5
For IIS 7.0 I used the URLScan 3.1 however this is only supported for IIS 7.0 and not 8.x
657
Open the site which you would like to open and then click on the HTTP Response Headers option. Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response.
Removing the Server: header is a security by obscurity action, and an almost entirely ineffective one. But if it makes you feel better, or you're being told to do it by your boss or an auditor, go for it.
As with removing ETag headers in IIS, you can rewrite and empty the Server: HTTP response header in IIS with a URL Rewrite outboundRule. Remove Server response header with an outboundRule URL Rewrite rule. Unfortunately you cannot really remove the Server header. But you can rewrite its content and empty it.
On IIS 7+ (IIS 7, 8.5, 8.0, 8.5, IIS 10.0), use an rewrite outboundRule to remove the web server version information from the Server: header response.
The <redirectHeaders> element specifies a collection of custom HTTP headers that Internet Information Services (IIS) 7 will add to HTTP redirects. HTTP headers are name and value pairs that are returned in responses from a Web server.
Install IIS 8.5 using the Server Manager. Server Manager provides a single dashboard to install or uninstall server roles, role services, and features. Server Manager also gives an overview of all currently installed roles and features.
There is another solution and in my opinion this solution is the best and safe.
You can use UrlRewrite module created by the Microsoft. The Url Rewrite module redirects your url and can also change your IIS server name in the response header.
You don't have to use redirect property. You can use just change the Server header value.
Here are the steps:
First, download UrlRewrite module from this link: http://www.iis.net/downloads/microsoft/url-rewrite and install it on your IIS server. After that, restart IIS by this command on cmd console
iisreset /restart Add the following item to the your web config file under the <system.WebServer> tag. You can write anything to the Value item as server name.
Finally we changed the IIS version name on the data's header. Restart IIS again. via cmd console.
Bonus: If you want to test your website to see if it is working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/
PS: I tested it and it worked for me on the IIS server. Not on the has been created temproray IIS server by the Visual studio.
183
It is possible now to remove Server header from web.config starting from IIS 10.0 :
<security> <requestFiltering removeServerHeader ="true" /> </security> More details on how to remove all unwanted/unnecessary headers can be found here.
Please note that this hides server header from the "application", as do all the other approaches. If you e.g. reach some default page or an error page generated by the IIS itself or ASP.NET outside your application these rules won't apply. So ideally they should be on the root level in IIS and that sill may leave some error responses to the IIS itself.
Note there is a bug in IIS 10 that makes it sometimes show the header even with the modified config prior to 2019.1C. It should be fixed by now, but IIS/Windows has to be updated.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
