Remove Server Response Header IIS7

Question

Is there any way to remove  Server  response header from IIS7  There are some articles showing that using HttpModules we can achieve the same thing  This will be helpful if we don t have admin right to server  Also I don t want to write ISAPI filter   I have admin rights to my server  So I don t want to do the above stuff  So  please help me to do the same

User · Answer

I had researched this and the URLRewrite method works well   Can t seem to find the change scripted anywhere well   I wrote this compatible with PowerShell v2 and above and tested it on IIS 7 5       Add Allowed Server Variable     Add-WebConfiguration  system webServer rewrite allowedServerVariables -atIndex 0 -value   name  RESPONSE SERVER     Rule Name      ruleName    Remove Server Response Header    Add outbound IIS Rewrite Rule     Add-WebConfigurationProperty -pspath  iis    -filter  system webServer rewrite outboundrules  -name     -value   name  ruleName  stopProcessing  False    Set Properties of newly created outbound rule      Set-WebConfigurationProperty -pspath  MACHINE WEBROOT APPHOST   -filter  system webServer rewrite outboundRules rule  name   ruleName   match  -name  serverVariable  -value  RESPONSE SERVER      Set-WebConfigurationProperty -pspath  MACHINE WEBROOT APPHOST   -filter  system webServer rewrite outboundRules rule  name   ruleName   match  -name  pattern  -value          Set-WebConfigurationProperty -pspath  MACHINE WEBROOT APPHOST   -filter  system webServer rewrite outboundRules rule  name   ruleName   action  -name  type  -value  Rewrite

User · Answer

Add this to your global asax cs   protected void Application PreSendRequestHeaders         Response Headers Remove  Server        Response Headers Remove  X-AspNet-Version        Response Headers Remove  X-AspNetMvc-Version

User · Answer

Or add in web config    lt system webServer gt       lt httpProtocol gt           lt customHeaders gt               lt remove name  X-AspNet-Version    gt               lt remove name  X-AspNetMvc-Version    gt               lt remove name  X-Powered-By    gt               lt  --  lt remove name  Server    gt   this one doesn t work -- gt           lt  customHeaders gt       lt  httpProtocol gt   lt  system webServer gt

User · Answer

IIS 7 5 and possibly newer versions have the header text stored in iiscore dll  Using a hex editor  find the string and the word  Server  53 65 72 76 65 72 after it and replace those with null bytes  In IIS 7 5 it looks like this   4D 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 37 2E 35 00 00 00 53 65 72 76 65 72    Unlike some other methods this does not result in a performance penalty  The header is also removed from all requests  even internal errors

User · Answer

Scott Mitchell provides in a blog post solutions for removing unnecessary headers   As already said here in other answers  for the Server header  there is the http module solution  or a web config solution for IIS 10   or you can use URLRewrite instead for blanking it   The most practical solution for an up-to-date  IIS 10    setup is using removeServerHeader in the web config    lt system webServer gt           lt security gt       lt requestFiltering removeServerHeader  true    gt     lt  security gt         lt  system webServer gt    For X-AspNet-Version and X-AspNetMvc-Version  he provides a better way than removing them on each response  simply not generating them at all   Use enableVersionHeader for disabling X-AspNet-Version  in web config   lt system web gt           lt httpRuntime enableVersionHeader  false    gt         lt  system web gt    Use MvcHandler DisableMvcResponseHeader in  Net Application Start event for disabling X-AspNetMvc-Version  MvcHandler DisableMvcResponseHeader   true    And finally  remove in IIS configuration the X-Powered-By custom header in web config    lt system webServer gt           lt httpProtocol gt       lt customHeaders gt         lt remove name  X-Powered-By    gt       lt  customHeaders gt     lt  httpProtocol gt         lt  system webServer gt    Beware  if you have ARR  Application Request Routing   it will also add its own X-Powered-By  which will not be removed by custom headers settings  This one has to be removed through the IIS Manager  Editor configuration on the IIS root  not on a site   go to system webServer proxy node and set arrResponseHeader to false  After an IISReset  it is taken into account   I have found this one here  excepted this post is about old IIS 6 0 way of configuring things    Do not forget that solution by application code does not apply by default to header generated on static content  you may activate the runAllManagedModulesForAllRequests for changing that  but it causes all requests to run  Net pipeline   It is not an issue for X-AspNetMvc-Version since it is not added on static content  at least if static request are not run in  Net pipeline    Side note  when the aim is to cloak used technology  you should also change standard  Net cookie names   ASPXAUTH if forms auth activated  use name attribute on forms tag in web config   ASP NET SessionId  use  lt sessionState cookieName  yourName    gt  in web config under system web tag     RequestVerificationToken  change it by code with AntiForgeryConfig CookieName  but unfortunately does not apply to the hidden input this system generates in the html

User · Answer

With the URL Rewrite Module Version 2 0 for IIS  UrlRewrite  enabled  in the configuration section  lt configuration gt     lt system webServer gt     lt rewrite gt  add the outbound rule    lt outboundRules gt     lt rule name  Remove RESPONSE Server   gt       lt match serverVariable  RESPONSE Server  pattern        gt       lt action type  Rewrite  value      gt     lt  rule gt   lt  outboundRules gt

User · Answer

In IIS 10  we use a similar solution to Drew s approach  i e    using System  using System Web   namespace Common Web Modules Http            lt summary gt          Sets custom headers in all requests  e g   Server  header  or simply remove some           lt  summary gt      public class CustomHeaderModule   IHttpModule               public void Init HttpApplication context                        context PreSendRequestHeaders    OnPreSendRequestHeaders                     public void Dispose                     lt summary gt              Event handler that implements the desired behavior for the PreSendRequestHeaders event              that occurs just before ASP NET sends HTTP headers to the client                            lt  summary gt               lt param name  sender  gt  lt  param gt               lt param name  e  gt  lt  param gt          void OnPreSendRequestHeaders object sender  EventArgs e                          HttpContext Current Response Headers Remove  Server                HttpContext Current Response Headers Set  Server    MyServer                        And obviously add a reference to that dll in your project s  and also the module in the config s  you want    x000D   x000D   lt system webServer gt  x000D       lt modules gt  x000D         lt  --Use http module to remove customize IIS  Server  header-- gt  x000D         lt add name  CustomHeaderModule  type  Common Web Modules Http CustomHeaderModule    gt  x000D       lt  modules gt  x000D   lt  system webServer gt  x000D   x000D   x000D    IMPORTANT NOTE1  This solution needs an application pool set as integrated   IMPORTANT NOTE2  All responses within the web app will be affected by this  css and js included

User · Answer

This web config setup works to remove all unnecessary headers from the ASP NET response  at least starting from IIS 10     lt system web gt       lt  -- Removes version headers from response -- gt       lt httpRuntime enableVersionHeader  quot false quot    gt   lt  system web gt    lt system webServer gt       lt httpProtocol gt           lt customHeaders gt               lt  --Removes X-Powered-By header from response -- gt               lt clear   gt           lt  customHeaders gt       lt  httpProtocol gt        lt security gt           lt  --Removes Server header from response-- gt           lt requestFiltering removeServerHeader   quot true quot    gt       lt  security gt   lt  system webServer gt   Please note that this hides all the headers for the  quot application quot   as do all the other approaches  If you e g  reach some default page or an error page generated by the IIS itself or ASP NET outside your application these rules won t apply  So ideally they should be on the root level in IIS and that sill may leave some error responses to the IIS itself  P S  There is a bug in IIS 10 that makes it sometimes show the server header even with correct config  It should be fixed by now  but IIS Windows has to be updated

User · Answer

Try setting the HKLM SYSTEM CurrentControlSet Services HTTP Parameters DisableServerHeader registry entry to a REG DWORD of 1

User · Answer

To remove the Server  header  go to Global asax  find create the Application PreSendRequestHeaders event and add a line as follows  thanks to BK and this blog this will also not fail on the Cassini   local dev    protected void Application PreSendRequestHeaders object sender  EventArgs e           Remove the  Server  HTTP Header from response     HttpApplication app   sender as HttpApplication      if  null    app  amp  amp  null    app Request  amp  amp   app Request IsLocal  amp  amp          null    app Context  amp  amp  null    app Context Response                NameValueCollection headers   app Context Response Headers          if  null    headers                        headers Remove  Server                        If you want a complete solution to remove all related headers on Azure IIS7 and also works with Cassini  see this link  which shows the best way to disable these headers without using HttpModules or URLScan

User · Answer

The solution proposed above in combination worked for me with following changes  Here I am posting my scenario and solution  For me I wanted to remove the following headers   Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version  I added these to my global asax   lt    Application Language  quot C  quot    gt   lt script runat  quot server quot  gt      protected void Application PreSendRequestHeaders                 Response Headers Remove  quot Server quot            Response Headers Remove  quot X-Powered-By quot            Response Headers Remove  quot X-AspNet-Version quot            Response Headers Remove  quot X-AspNetMvc-Version quot           lt  script gt   The above event was not getting triggered  so for that I added following to web config then it worked   lt modules runAllManagedModulesForAllRequests  quot true quot    gt   and for removing version header I also added following to web config   lt httpRuntime enableVersionHeader  quot false quot    gt   Changes in web config   lt  xml version  quot 1 0 quot  encoding  quot UTF-8 quot   gt   lt configuration gt       lt system webServer gt           lt modules runAllManagedModulesForAllRequests  quot true quot    gt       lt  system webServer gt       lt system web gt           lt httpRuntime enableVersionHeader  quot false quot    gt       lt  system web gt   lt  configuration gt   Hope it helps

User · Answer

UrlScan  can also remove the server header by using AlternateServerName  under  options

User · Answer

Addition to the URL Rewrite answer  here is the complete XML for web config   lt system webServer gt     lt rewrite gt       lt outboundRules gt         lt rule name  Remove RESPONSE Server   gt           lt match serverVariable  RESPONSE Server  pattern        gt           lt action type  Rewrite  value  Company name    gt         lt  rule gt       lt  outboundRules gt     lt  rewrite gt   lt  system webServer gt    URL Rewrite

User · Answer

I tried all of the stuff here and on several other similar stack overflow threads     I got hung up for a bit because I forgot to clear my browser cache after making config changes   If you don t do that and the file is in your local cache  it will serve it back to you with the original headers  duh    I got it mostly working by removing the runAllManagedModulesForAllRequests    lt modules runAllManagedModulesForAllRequests  true  gt    This removed the extraneous headers from most of the static files but I still was getting the  Server  header on some static files in my WebAPI project in swagger   I finally found and applied this solution and now all of the unwanted headers are gone   https   www dionach com blog easily-remove-unwanted-http-headers-in-iis-70-to-85  which discusses his code that is here   https   github com Dionach StripHeaders releases tag v1 0 5  This is a Native-Code module   It is able to remove the Server header  not just blank out the value   By default it removes    Server X-Powered-By X-Aspnet-Version Server  Microsoft-HTTPAPI 2 0  -- which would be returned if  the request fails to be passed to IIS

User · Answer

Actually the coded modules and the Global asax examples shown above only work for valid requests   For example  add  lt  on the end of your URL and you will get a  Bad request  page which still exposes the server header   A lot of developers overlook this   The registry settings shown do not work either   URLScan is the ONLY way to remove the  server  header  at least in IIS 7 5

User · Answer

In IIS7 you have to use an HTTP module  Build the following as a class library in VS   namespace StrongNamespace HttpModules     public class CustomHeaderModule   IHttpModule          public void Init HttpApplication context              context PreSendRequestHeaders    OnPreSendRequestHeaders              public void Dispose             void OnPreSendRequestHeaders object sender  EventArgs e              HttpContext Current Response Headers Set  Server    Box of Bolts                  Then add the following to your web config  or you configure it within IIS  if you configure within IIS  the assembly must be in the GAC     lt configuration gt     lt system webServer gt       lt modules gt         lt add name  CustomHeaderModule         type  StrongNamespace HttpModules CustomHeaderModule    gt       lt  modules gt     lt  system webServer gt   lt  configuration gt

User · Answer

If you just want to remove the header you can use a shortened version of lukiffer s answer   using System Web   namespace Site       public sealed class HideServerHeaderModule   IHttpModule               public void Dispose                public void Init HttpApplication context                        context PreSendRequestHeaders                 sender  e    gt  HttpContext Current Response Headers Remove  Server                        And then in Web config    lt system webServer gt     lt modules runAllManagedModulesForAllRequests  true  gt       lt add name  CustomHeaderModule  type  Site HideServerHeaderModule    gt     lt  modules gt   lt  system webServer gt

User · Answer

I found an article that explains why we need to do both Registry edit and use a tool such as UrlScan to set this up in IIS properly  I followed it on our servers and it works  http   blogs msdn com b varunm archive 2013 04 23 remove-unwanted-http-response-headers aspx  If you only use UrlScan but don t do the registry change  during the time you are stopping World Wide Publishing Service  your server will return server http response from the HTTP sys file  Also  here are common pitfals of using UrlScan tool  http   msdn microsoft com en-us library ff648552 aspx ht urlscan 008

User · Answer

Following up on eddiegroves  answer  depending on the version of URLScan  you may instead prefer RemoveServerHeader 1 under  options    I m not sure in which version of URLScan this option was added  but it has been available in version 2 5 and later

User · Answer

You can add below code in Global asax cs file       protected void Application PreSendRequestHeaders                 Response Headers Remove  Server

[security] Remove Server Response Header IIS7

Examples related to security

Examples related to iis-7

Examples related to header

Examples related to response