Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why can't the "Server" Response Header be removed via web.config in IIS7?

Remove Server Response Header IIS7

I know how to remove the Server response header with an HTTP Module based on the link above.

I just want to know why it is necessary to remove it this way.

like image 871
David Murdoch Avatar asked Sep 09 '10 15:09

David Murdoch


People also ask

How do I get rid of Microsoft IIS 8.5 from response header?

In IIS Manager, at the server level, go to the Features view. Click on HTTP Response Headers. You can add/remove headers there. You can also manage the response headers at the site level as well.


2 Answers

The comments in Aristos link gives as good an answer to the Why.

It boils down to MS not wanting to easily let people modify this value. Whether for marketing or other purposes is open to interpretation.

One thing to take away from that discussion is that modifying the server header is not useful for any sort of security. There are a myriad of ways that you can detect exactly what kind (and version) of web server software is running.

Which leaves us with only one reason to do so: to save bytes. Unless you're running an extremely high traffic site this isn't a concern. If you are running a high traffic site then you are more than likely already running one or more custom modules.

like image 121
NotMe Avatar answered Oct 17 '22 09:10

NotMe


The following thing works for me:

In IIS 10.0 (Windows Server 2016/2019), you can remove the Server header by configuring requestFiltering in your web.config system.webServer node:

<security>
  <requestFiltering removeServerHeader ="true" />
</security>

This way you don’t have to fiddle with complex outbound rewrite rules.

To remove ASP.NET’s X-Powered-By header you still need the customHeaders section as mentioned above.

source: https://www.saotn.org/remove-iis-server-version-http-response-header/

like image 24
C. Molendijk Avatar answered Oct 17 '22 08:10

C. Molendijk