As mentioned in other SO questions Windows Azure Web Apps are running on IIS/8.0, but I have some doubt if that is actually true.
First of all, when I check the HTTP response from a web app running on the Azure Web Apps free tier I can see the following HTTP header:
Server:Microsoft-IIS/8.0
However, according to this documentation and to some local testing on my machine I know that requestFiltering removeServerHeader
is not supported in IIS 8.0.
e.g.:
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
It is a feature which has been added with IIS 10.0 and I can confirm this by running some more tests on a Windows 10 VM with IIS 10.0.
Interestingly this setting also works on my Azure Web App, which supposedly runs on IIS 8.0, so my question is what version of IIS is Azure Web Apps actually running on?
EDIT: From all the comments below it seems that Azure Web Apps run on IIS 8.0, so I re-phrase my question to: How come the removeServerHeader works in an Azure Web App when they run on IIS 8.0?
Azure App Service for Windows runs on IIS with the use of modules. Node. js apps in App Service on Windows are hosted with IISNode.
Unfortunately you cannot really remove the Server header. But you can rewrite its content and empty it. On IIS 7+ (IIS 7, 8.5, 8.0, 8.5, IIS 10.0), use an rewrite outboundRule to remove the web server version information from the Server: header response.
A blog post from Microsoft in 2013 states:
Our customers asked us to allow these headers to be disabled on Azure Web Sites, and so with the recent release of Windows Azure Web Sites, we have enabled this to be done.
It then goes on to give an example of using removeServerHeader
and says it's part of the Request Filtering module:
The removal of these headers is facilitated with the Request Filtering module...
Interestingly their documentation for IIS 10 Request Filtering confirms that the removeServerHeader
attribute was added to IIS 10 as you have found out.
New in IIS 10.0
IIS 10.0 added the
removeServerHeader
attribute to suppress sending the HTTP server header to remote clients.
So I would say that the reason it works on Azure Web Sites is because Microsoft pushed this feature out to Azure Web Sites at the request of customers in 2013 - presumably as part of an Azure-specific version of the Request Filtering module. They have since integrated it as standard into the IIS 10 Request Filtering module.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With