Remove Server Response Header IIS 8.0 / 8.5

Question

How can we remove the server header response in IIS 8.0/8.5?
My current server report: Microsoft-IIS/8.0 Microsoft-IIS/8.5
For IIS 7.0 I used the URLScan 3.1 however this is only supported for IIS 7.0 and not 8.x

Answer 1

There is another solution and in my opinion this solution is the best and safe.

You can use UrlRewrite module created by the Microsoft. The Url Rewrite module redirects your url and can also change your IIS server name in the response header.

You don't have to use redirect property. You can use just change the Server header value.

Here are the steps:

1. First, download UrlRewrite module from this link: http://www.iis.net/downloads/microsoft/url-rewrite and install it on your IIS server. After that, restart IIS by this command on cmd console

    iisreset /restart 

2. Add the following item to the your web config file under the <system.WebServer> tag. You can write anything to the Value item as server name.

   

3. Finally we changed the IIS version name on the data's header. Restart IIS again. via cmd console.

4. Bonus: If you want to test your website to see if it is working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/

PS: I tested it and it worked for me on the IIS server. Not on the has been created temproray IIS server by the Visual studio.

Answer 2

Unfortunately most of the recommendations you will find online for removing the "Server" header in IIS will not work for IIS 8.0 and 8.5. I have found the only working option, and in my opinion, also the best, is to use an IIS Native-Code module.

Native-Code modules differ from the more common Managed modules, as they are written using the win32 APIs rather than ASP.NET. This means that they work for all requests (including static pages and images) rather than just requests that past though the ASP.NET pipeline. Using a Native-Code module, it is possible to remove unwanted headers at the very end of the request, meaning that you can remove headers (including the "Server" header) regardless of where they have been set.

Binaries and source code of an example Native-Code module for removing headers in IIS 7.0 to 8.5 are available in the following article.

http://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85

Answer 3

Just use clear tag in custom headers segment in web.config:

<system.webServer>
   <httpProtocol>
      <customHeaders>
           <clear />
            <add name="X-Custom-Name1" value="MyCustomValue1" />
            <add name="X-Custom-Name2" value="MyCustomValue2" />
      </customHeaders>
   </httpProtocol>
</system.webServer>

For dynamic headers, You can use this code in Global.ascx:

protected void Application_PreSendRequestHeaders() 
   {
       Response.Headers.Remove("Server");
       Response.AddHeader("Sample1", "Value1");
   }

Answer 4

This is dead simple. Just create a custom module:

public class HeaderStripModule : IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.PreSendRequestHeaders += (sender, args) => HttpContext.Current.Response.Headers.Remove("Server");
    }

    public void Dispose(){}
}

And then register in web.config or applicationHost.config if you want machine wide implementation.

<system.webServer>
  <modules>
      <add name="HeaderStripModule" type="MyNamespace.HeaderStripModule" />
  </modules>
</system.webServer>

Answer 5

For the above problem, add the below code in Global.asax.cs

protected void Application_PreSendRequestHeaders() 
   {
       Response.Headers.Remove("Server");
       Response.AddHeader("Sample1", "Value1");
   }

It got the problem resolved after so much browsing.

Answer 6

It is possible now to remove Server header from web.config starting from IIS 10.0 :

<security>
  <requestFiltering removeServerHeader ="true" />
</security>

More details on how to remove all unwanted/unnecessary headers can be found here .

Please note that this hides server header from the "application", as do all the other approaches. If you eg reach some default page or an error page generated by the IIS itself or ASP.NET outside your application these rules won't apply. So ideally they should be on the root level in IIS and that sill may leave some error responses to the IIS itself.

There is a bug in IIS 10 that makes it sometimes show the header even with config. It should be fixed by now, but IIS/Windows has to be updated.

Answer 7

URLScan has been discontinued starting from IIS 7.5, since its functionalities are supposed to be available through "request filtering" option (feature added in IIS 7.5).

But the URLScan's 'Remove server header' option does not look like having any equivalent in "request filtering".

As said on this answer and this answer to you question , you can emptied the Server with URLRewrite instead, which remains available on IIS 8/8.5 (with some update required for having its UI in IIS administration console).

It turns out, looking at this blog , that URLScan can still be installed on IIS 8/8.5, if lack of official support is not an issue.

I have not tested myself. Here are the steps:

• Install IIS 6 Metabase compatibility (if not already there)
• Install Isapi Filters (if not already there)
• Install URLScan (from download-able installer, not from web platform installer)
• Configure URLScan through its ini file (by default in C:\\Windows\\System32\\inetsrv\\urlscan )

Maybe some iisreset or even a reboot should be done. URLScan should be visible in IIS among Isapi filters

Answer 8

In IIS Manager, at the server level, go to the Features view. Click on HTTP Response Headers. You can add/remove headers there. You can also manage the response headers at the site level as well.