Remove the Server header from IIS 10 403 Forbidden error page
Question
We have the ASP.NET MVC application which hosted on IIS 10. In order to close vulnerability Information disclosure we need to remove all the headers which disclosures web server's information, like Server , X-Powered-By , etc.
We have enabled all the options to remove this headers, but when we request some unexisting page, like /Controller/Action" we got 403 Forbidden error page with Server header.
I already tried URL Rewrite rules, editing registry, adding some properties to web.config, but it doesn't work.
How can I remove it?
1 answers
solution1
0 2021-07-20 09:09:51
As you mentioned that enabled all the options to remove the header, so I think you may use the configuration as below in your web.config .
<security>
<requestFiltering removeServerHeader="true" />
</security>
Apart from this, you can also use url rewrite to remove the server header. Url rewrite can filter all of the response and remove the header which you specified to remove. You can refer to the steps below:
1. Install " url rewrite " extension.
2. Open your IIS manager, and double click "url rewrite" and click "View Server Variables"
3. Click "Add" button to add a variable named "RESPONSE_SERVER".
4. Go back to "url rewrite" and add a outbound rule.
5. Then create the rule with the information as below.
After create this rule, we can filter all of the outbound response and remove the server header. You can also refer to this document about this solution.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.