Remove Server Response Header IIS7

Question

Is there any way to remove "Server" response header from IIS7? There are some articles showing that using HttpModules we can achieve the same thing. This will be helpful if we don't have admin right to server. Also I don't want to write ISAPI filter.

I have admin rights to my server. So I don't want to do the above stuff. So, please help me to do the same.

See: http://stackoverflow.com/questions/22401219/remove-server-response-header-iis-8-0-8-5#39472251 — Mohsen Tavoosi محسن طاوسی, Sep 13 '16 at 14:23

bkaid · Answer 1 · 2013-03-29T21:00:34.630

124

Add this to your global.asax.cs:

protected void Application_PreSendRequestHeaders()
{
    Response.Headers.Remove("Server");
    Response.Headers.Remove("X-AspNet-Version");
    Response.Headers.Remove("X-AspNetMvc-Version");
}

edited Mar 29 '13 at 21:00

answered Sep 07 '11 at 18:05

bkaid

51,465
22
112
128

I tried the registry option from @Richard above with no luck. I'm using Win 2008 R2 and the registry key was missing so I added a new DWORD key, which may have been incorrect. This option worked perfectly though. Thanks! – Ben Barreth Sep 15 '11 at 15:39
11

Don't know why the http module answer is higher than this one, this one is much easier – jjxtra Dec 02 '11 at 20:44
This is the simplest method I've found to remove the 'Server' header from IIS7 responses. Thanks. – Corgalore May 17 '12 at 14:46
This should be the preferred answer. very small change – jnoreiga Jun 26 '12 at 19:33
For me it is displaying an error "Object reference not set to an instance of an object" I am stuck here – Mathew Paul Jul 16 '12 at 05:14
2

You might find you get a `NullReferenceException` in Cassini if you rely on `HttpContext.Current`. [This blog post](http://www.bugwriter.me/2010/01/removing-unnecessary-http-header-server.html) shows how to do so whilst avoiding breaking Cassini support, if that is important to you. – Owen Blacker Sep 17 '12 at 14:27
Weirdly, given this worked for me in September, this is no longer working for me. I can only assume one of the recent Windows Updates messed with it (presumably the one that also added [`net.tcp` and other bindings](http://stackoverflow.com/q/9440744/205245) the other day. – Owen Blacker Jan 25 '13 at 11:29
52

@PsychoDad this works for ASP.NET requests only, not for static files like .css and .js – Max Toro Jan 25 '13 at 17:06
Using IIS 8.0, I'm only seeing the Server header on ASP.NET requests, but not on static files. When I add Response.Headers.Remove("Server"); I don't get the Server header at all. – imjosh Mar 25 '14 at 18:43
1

To get rid of the MVC header you can do this MvcHandler.DisableMvcResponseHeader = true; – ProVega May 20 '14 at 16:38
7

It is not a good idea to use the `PreSendRequestHeaders` in a class that implements `IHttpModule` or `Global.asax`. I have witnessed the event freezing the app on the server under stress load. The `BeginRequest` event should work to make response header changes. See http://www.hanselman.com/blog/ChecklistWhatNOTToDoInASPNET.aspx . – Dmitry S. Jul 28 '15 at 16:40
1

Can put this in EndRequest instead if you prefer, may avoid above freeze risk under load: protected void Application_EndRequest(object sender, EventArgs ev) { Response.Headers.Remove("Server"); } – Chris Moschini Aug 29 '16 at 03:20
1

As noted in other answers there are problems with this approach (e.g. error requests are not affected). It seems that from IIS10+ there is a way to remove this headers for good with web.config: https://stackoverflow.com/a/53222946/1671558 – Ilya Chernomordik Nov 09 '18 at 09:33

score 78 · Answer 2 · edited Jan 25 '13 at 17:34

78

In IIS7 you have to use an HTTP module. Build the following as a class library in VS:

namespace StrongNamespace.HttpModules
{
  public class CustomHeaderModule : IHttpModule
  { 
    public void Init(HttpApplication context)
    {
      context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    } 

    public void Dispose() { } 

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
      HttpContext.Current.Response.Headers.Set("Server", "Box of Bolts");
    }
  }
}

Then add the following to your web.config, or you configure it within IIS (if you configure within IIS, the assembly must be in the GAC).

<configuration>
  <system.webServer>
    <modules>
      <add name="CustomHeaderModule"
       type="StrongNamespace.HttpModules.CustomHeaderModule" />
    </modules>
  </system.webServer>
</configuration>

edited Jan 25 '13 at 17:34

Owen Blacker

4,117
2
33
70

answered Jul 29 '09 at 16:10

lukiffer

11,025
8
46
70

Excellent, I can also tweak this to remove the ETag header across my server farm. – devstuff Aug 20 '09 at 03:50
This causes a runtime error in casini... / ASP.NET Dev server – UpTheCreek Feb 03 '11 at 14:52
Modifying header values requires IIS7 Integrated Mode, however the exception is ignored unless another exception is thrown in the context of the request. Per the title, the question was targeted at IIS7, not casini. – lukiffer Feb 03 '11 at 17:33
2

@UpTheCreek The ASP.Net dev server (Cassini) won't like that code; [this blog post](http://www.bugwriter.me/2010/01/removing-unnecessary-http-header-server.html) has a solution to it, though — you need to check that the `HttpApplication`, the `HttpRequest`, the `HttpContext`, and the `HttpResponse` are not `null`, as well as checking that `HttpRequest.IsLocal` is `false`. – Owen Blacker Sep 17 '12 at 14:29
Weirdly, given this worked for me in September, this is no longer working for me. I can only assume one of the recent Windows Updates messed with it (presumably the one that also added [`net.tcp` and other bindings](http://stackoverflow.com/q/9440744/205245) the other day. – Owen Blacker Jan 25 '13 at 11:29
2

As modifying the header in `PreSendRequestHeaders` could [cause issues with HttpCacheModule](http://blogs.msdn.com/b/asiatech/archive/2010/10/18/heap-corruption-in-httpcachemodule-while-you-try-to-remove-http-headers-in-your-custom-http-module.aspx), you should use something like `PostReleaseRequestState` instead. – Eirik H Jun 17 '13 at 06:05
8

The module is not invoked when IIS sends 304 Not Modified header for static files (css / less / images / etc) as this does not reach the ASP.NET pipeline, so in this situation Server: Microsoft IIS/7.5 is still rendered – Jano Jul 11 '14 at 01:07
This page is a top result for Google search "server "box of bolts"", so don't forget to change it to something unique or simply remove it by `HttpContext.Current.Response.Headers.Remove("Server");` – Alexander Puchkov May 28 '15 at 14:25
Note: if you use it with GAC you should write it with the full qualified name like "StrongNamespace.HttpModules.CustomHeaderModule, StrongNamespace, Version=4.2.0.0, Culture=neutral, PublicKeyToken=31FF3856AF364G35" – Tarek El-Mallah Mar 02 '17 at 19:00
*Warning:* using `HttpContext.Current.Response` instead of `Response` property may cause a NullReferenceException! – Bart Verkoeijen Nov 01 '17 at 01:59
As noted in other answers there are problems with this approach (e.g. error requests are not affected). It seems that from IIS10+ there is a way to remove this headers for good with web.config: https://stackoverflow.com/a/53222946/1671558 – Ilya Chernomordik Nov 09 '18 at 09:35

Frédéric · Answer 3 · 2021-10-27T13:09:07.463

66

Scott Mitchell provides in a blog post solutions for removing unnecessary headers.

As already said here in other answers, for the Server header, there is the http module solution, or a web.config solution for IIS 10+, or you can use URLRewrite instead for blanking it.

For this Server header, the most practical solution for an up-to-date (IIS 10 +) setup is using removeServerHeader in the web.config:

<system.webServer>
  ...
  <security>
    <requestFiltering removeServerHeader="true" />
  </security>
  ...
</system.webServer>

For X-AspNet-Version and X-AspNetMvc-Version, Scott Mitchell provides a better way than removing them on each response: simply not generating them at all.

Use enableVersionHeader for disabling X-AspNet-Version, in web.config

<system.web>
  ...
  <httpRuntime enableVersionHeader="false" />
  ...
</system.web>

Use MvcHandler.DisableMvcResponseHeader in .Net Application_Start event for disabling X-AspNetMvc-Version

MvcHandler.DisableMvcResponseHeader = true;

And finally, remove in IIS configuration the X-Powered-By custom header in web.config.

<system.webServer>
  ...
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
  ...
</system.webServer>

Beware, if you have ARR (Application Request Routing), it will also add its own X-Powered-By, which will not be removed by custom headers settings. This one has to be removed through the IIS Manager, Editor configuration on the IIS root (not on a site): go to system.webServer/proxy node and set arrResponseHeader to false. After an IISReset, it is taken into account.
(I have found this one here, excepted this post is about old IIS 6.0 way of configuring things.)

Do not forget that solution by application code does not apply by default to header generated on static content (you may activate the runAllManagedModulesForAllRequests for changing that, but it causes all requests to run .Net pipeline). It is not an issue for X-AspNetMvc-Version since it is not added on static content (at least if static request are not run in .Net pipeline).

Side note: when the aim is to cloak used technology, you should also change standard .Net cookie names (.ASPXAUTH if forms auth activated (use name attribute on forms tag in web.config), ASP.NET_SessionId (use <sessionState cookieName="yourName" /> in web.config under system.web tag), __RequestVerificationToken (change it by code with AntiForgeryConfig.CookieName, but unfortunately does not apply to the hidden input this system generates in the html)).

edited Oct 27 '21 at 13:09

answered Jul 11 '13 at 18:09

Frédéric

9,364
3
62
112

I added this code once I added "requestFiltering" server error appears. If i remove "requestFiltering " it works fine. I want to hide IIS and it's version discloser. My IIS is 10.0. What should I do? Thanks – WeDevelop Aug 27 '20 at 12:49
Comments are not suitable for answering questions, better ask another question, after having double checked you meet the requirements documented by Microsoft. (My answer links toward this documentation.) – Frédéric Aug 27 '20 at 17:11
-> This gives warning "attribute" is not allowed. – Ashish Shukla Oct 07 '20 at 12:12
1

@AshishShukla, this is not the case in VS2019. Update your configuration schema in your current IDE. – Frédéric Oct 07 '20 at 15:13
Thanks, `` works for me. I am using IIS 10. The URL Rewrite rule I had seems to have broken since upgrading to IIS 10. – Neurion Jan 14 '21 at 21:48
2

The question was for IIS 7 and this doesn't work in IIS 7 – hexagod Mar 31 '21 at 20:24
Most of the answer does work with IIS7 and the parts which do not are properly highlighted. – Frédéric Mar 31 '21 at 20:45
I'm sorry but posting a solution for IIS 10 in a topic that is specifically about IIS 7 warrants downvoting. – user3700562 Oct 25 '21 at 10:37
2

I still cannot get it. Outdated content is a plague. I intend to go-on completing my answers to keep them up-to-date, in the same way I have done here: mentioning from which version it applies and keeping older solutions mentioned. The sentence right above the IIS 10+ solution for the `Server` header is about them, linking toward other answers addressing this point for IIS < 10. What would be the alternative? Duping the question for each new version of IIS? It would cause the optimal answers for each reader case to be quite harder to find. – Frédéric Oct 27 '21 at 13:05
Is there a way to make an older version of IIS just ignore these IIS 10 only attributes? If I add them into the web.config, the web app won't start using IIS 8 :( – nvirth Nov 24 '21 at 16:33
Not that I know of. If you have to use the same web.config for different IIS versions, you have to use only features supported by the lowest one. – Frédéric Nov 24 '21 at 22:36

score 46 · Answer 4 · edited Aug 22 '19 at 10:14

46

With the URL Rewrite Module Version 2.0 for IIS (UrlRewrite) enabled, in the configuration section <configuration> ➡ <system.webServer> ➡ <rewrite> add the outbound rule:

<outboundRules>
  <rule name="Remove RESPONSE_Server" >
    <match serverVariable="RESPONSE_Server" pattern=".+" />
    <action type="Rewrite" value="" />
  </rule>
</outboundRules>

edited Aug 22 '19 at 10:14

ite-klass

44
4

answered Sep 27 '12 at 07:10

Dudu

1,184
1
10
26

13

Note that this only blanks the Server header, it does not remove it. – Nick Evans Oct 09 '12 at 15:28
Sorry for the ignorance but to which part should I add this in ?! I tried adding it inside – Vignesh Subramanian Nov 15 '13 at 12:59
1

Thanks! Works in IIS 8.5, this is so easy. I don't have a text editor but you can easily use the GUI. The name should be RESPONSE_Server, not just Server (this is where I failed at first). – Louis Matthijssen Sep 02 '14 at 20:26
this is good enough if you got a non-ASP.Net application therefor you can't remove server header with mentioned codes – mhesabi May 12 '15 at 03:52
4

@vignesh this is some UrlRewrite config subnodes. You have to put them under a `rewrite` node in `system.webServer`. Beware, this will crash your site if UrlRewrite is not installed on the server. And you'd better use the IIS configuration console first to check how it write down those config nodes. – Frédéric Sep 04 '15 at 19:31
if 500 Internal Server Error occurs for the configured website it is revealing server info.Can anyone help on this – ravithejag Mar 10 '17 at 10:11
You can now get rid of Server response for good. At least from IIS10+ there is a way to remove this headers with web.config: https://stackoverflow.com/a/53222946/1671558 – Ilya Chernomordik Nov 09 '18 at 09:35
the question was for IIS7 and the rest of the responses did not work in IIS7 as the other people even said they were for IIS10. this one worked. good stuff +1 – hexagod Mar 31 '21 at 20:21

score 25 · Answer 5 · edited Sep 06 '20 at 10:12

25

This web.config setup works to remove all unnecessary headers from the ASP.NET response (at least starting from IIS 10):

<system.web>
    <!-- Removes version headers from response -->
    <httpRuntime enableVersionHeader="false" />
</system.web>

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <!--Removes X-Powered-By header from response -->
            <clear />
        </customHeaders>
    </httpProtocol>

    <security>
        <!--Removes Server header from response-->
        <requestFiltering removeServerHeader ="true" />
    </security>
</system.webServer>

Please note that this hides all the headers for the "application", as do all the other approaches. If you e.g. reach some default page or an error page generated by the IIS itself or ASP.NET outside your application these rules won't apply. So ideally they should be on the root level in IIS and that sill may leave some error responses to the IIS itself.

P.S. There is a bug in IIS 10 that makes it sometimes show the server header even with correct config. It should be fixed by now, but IIS/Windows has to be updated.

edited Sep 06 '20 at 10:12

Krptodr

139
13

answered Nov 09 '18 at 09:24

Ilya Chernomordik

27,817
27
121
207

This gives warning "attribute is not allowed". – Ashish Shukla Oct 07 '20 at 12:14
Thank you, this was exactly what I'm looking for! – user752746 Jan 26 '21 at 19:01
I'm sorry but posting a solution for IIS 10 in a topic that is specifically about IIS 7 warrants downvoting. – user3700562 Oct 25 '21 at 10:38
Is there a way to make IIS 7 ignore these IIS 10 only attributes? If I add them to the web.config, the web app will be unable to start with IIS 7 :( – nvirth Nov 24 '21 at 16:30

score 22 · Answer 6 · answered Feb 15 '13 at 11:00

22

Actually the coded modules and the Global.asax examples shown above only work for valid requests.

For example, add < on the end of your URL and you will get a "Bad request" page which still exposes the server header. A lot of developers overlook this.

The registry settings shown do not work either. URLScan is the ONLY way to remove the "server" header (at least in IIS 7.5).

answered Feb 15 '13 at 11:00

Dan Ware

396
2
9

It's working for me with the coded module (added in web.config) even on an bad request ;) In global.asax it's not really working (e.g. static files etc.) – kapsiR Apr 29 '14 at 12:19
Lets hope you still have request validation switched on. – Dan Ware Apr 30 '14 at 13:06
1

does anyone have an alternative to urlscan for IIS 8+? – herostwist Feb 15 '17 at 11:43
There is a working solution at least in IIS10+: https://stackoverflow.com/a/53222967/1671558 – Ilya Chernomordik Nov 09 '18 at 09:31

score 18 · Answer 7 · edited Sep 01 '14 at 08:36

18

Or add in web.config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <remove name="X-AspNet-Version" />
            <remove name="X-AspNetMvc-Version" />
            <remove name="X-Powered-By" />
            <!-- <remove name="Server" />  this one doesn't work -->
        </customHeaders>
    </httpProtocol>
</system.webServer>

edited Sep 01 '14 at 08:36

Kobi

135,331
41
252
292

answered Oct 29 '13 at 13:40

Anders

189
1
2

3

This method doesn't remove the 'Server' header. The others are removed. – Pure.Krome Jan 12 '14 at 12:30
You can get rid of the X-Powered-By in the Response headers configuration on the server level. – Snowburnt Oct 02 '14 at 17:42
1

I don't know if there is a cases where this way removes `X-AspNet-Version` and `X-AspNetMvc-Version` header. What I know is this way does not always work (if it ever works). See @Frederic answer for a more reliable way to remove them. – TheBlueSky Mar 05 '15 at 03:44
There is a way now in IIS10+ to remove the server header: https://stackoverflow.com/a/53222946/1671558 – Ilya Chernomordik Nov 09 '18 at 09:30

score 13 · Answer 8 · edited May 23 '17 at 11:54

13

Addition to the URL Rewrite answer, here is the complete XML for web.config

<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Remove RESPONSE_Server" >
        <match serverVariable="RESPONSE_Server" pattern=".+" />
        <action type="Rewrite" value="Company name" />
      </rule>
    </outboundRules>
  </rewrite>
</system.webServer>

URL Rewrite

edited May 23 '17 at 11:54

Community

1
1

answered Sep 14 '15 at 10:11

Vaibhav Garg

3,630
3
33
55

Does this remove all IIS and ASP versions from hacker – aggie Dec 04 '15 at 18:55
1

The above fix is working correctly for the web pages.But for images/icons if 500 Internal Server Error occurred it's showing the Server: Microsoft-IIS/7.5 instead of the value.Can you please help me on this – ravithejag Mar 09 '17 at 09:28

score 11 · Answer 9 · edited May 23 '17 at 12:34

To remove the Server: header, go to Global.asax, find/create the Application_PreSendRequestHeaders event and add a line as follows (thanks to BK and this blog this will also not fail on the Cassini / local dev):

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
    // Remove the "Server" HTTP Header from response
    HttpApplication app = sender as HttpApplication;
    if (null != app && null != app.Request && !app.Request.IsLocal &&
        null != app.Context && null != app.Context.Response)
    {
        NameValueCollection headers = app.Context.Response.Headers;
        if (null != headers)
        {
            headers.Remove("Server");
        }
    }
}

If you want a complete solution to remove all related headers on Azure/IIS7 and also works with Cassini, see this link, which shows the best way to disable these headers without using HttpModules or URLScan.

score 9 · Answer 10 · edited Jan 25 '13 at 17:31

9

If you just want to remove the header you can use a shortened version of lukiffer's answer:

using System.Web;

namespace Site
{
    public sealed class HideServerHeaderModule : IHttpModule
    {
        public void Dispose() { }

        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders +=
            (sender, e) => HttpContext.Current.Response.Headers.Remove("Server");
        }
    }
}

And then in Web.config:

<system.webServer>
  <modules runAllManagedModulesForAllRequests="true">
    <add name="CustomHeaderModule" type="Site.HideServerHeaderModule" />
  </modules>
</system.webServer>

edited Jan 25 '13 at 17:31

Owen Blacker

4,117
2
33
70

answered Jun 26 '11 at 12:29

Drew Noakes

300,895
165
679
742

1

This is most appropriate because resources like css/js will not have the Server header, it ports from server to server without configuration and the Server response header won't just be empty, it will not be sent. – Adam Caviness Oct 27 '16 at 18:12
I have seen comments that runAllManagedModulesForAllRequests="true" will slow down your app and is not recommended. Instead one could use urlrewrite module outboundRules to clear the server value also for static files. http://www.britishdeveloper.co.uk/2010/06/dont-use-modules-runallmanagedmodulesfo.html – Juri Aug 30 '17 at 22:38

score 5 · Answer 11 · edited Jan 25 '13 at 17:32

5

Try setting the HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader registry entry to a REG_DWORD of 1.

edited Jan 25 '13 at 17:32

Owen Blacker

4,117
2
33
70

answered Oct 12 '09 at 16:08

Richard Deeming

29,830
10
79
151

Ran into an odd situation with our server farm where this registry setting seems to be the only change that works across all of the OS's (W2K8, W2K3) we're using, for both IIS6 and IIS7. – jerhewet Feb 08 '12 at 19:15
3

Frustratingly, this isn't making any difference for me, even after rebooting the virtual machine. We're running IIS 7.5 on Windows Server 2008 R2 Standard, "Version 6.1 (Build 7601: Service Pack 1)". Similarly, my `OnPreSendRequestHeaders` event handler (see above) is never firing, for some reason. – Owen Blacker Jan 25 '13 at 11:27
4

Unfortunately the registry key doesn't seem to work on IIS 7.5 – Andrew Csontos Jun 21 '13 at 17:20

score 4 · Answer 12 · answered Aug 10 '09 at 02:06

4

UrlScan can also remove the server header by using AlternateServerName= under [options].

answered Aug 10 '09 at 02:06

Eddie Groves

33,851
14
47
48

score 2 · Answer 13 · answered Mar 13 '14 at 00:59

I found an article that explains why we need to do both Registry edit and use a tool such as UrlScan to set this up in IIS properly. I followed it on our servers and it works: http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx. If you only use UrlScan but don't do the registry change, during the time you are stopping World Wide Publishing Service, your server will return server http response from the HTTP.sys file. Also, here are common pitfals of using UrlScan tool: http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_008

Please post your code on Stack Overflow. Links can change and break, so posting code is much more helpful — Blundering Philosopher, Mar 13 '14 at 01:16

score 2 · Answer 14 · answered Jul 04 '17 at 10:55

In IIS 10, we use a similar solution to Drew's approach, i.e.:

using System;
using System.Web;

namespace Common.Web.Modules.Http
{
    /// <summary>
    /// Sets custom headers in all requests (e.g. "Server" header) or simply remove some.
    /// </summary>
    public class CustomHeaderModule : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += OnPreSendRequestHeaders;
        }

        public void Dispose() { }

        /// <summary>
        /// Event handler that implements the desired behavior for the PreSendRequestHeaders event,
        /// that occurs just before ASP.NET sends HTTP headers to the client.
        /// 
        /// </summary>
        /// <param name="sender"></param>
        /// <param name="e"></param>
        void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
            //HttpContext.Current.Response.Headers.Remove("Server");
            HttpContext.Current.Response.Headers.Set("Server", "MyServer");
        }
    }
}

And obviously add a reference to that dll in your project(s) and also the module in the config(s) you want:

<system.webServer>
    <modules>
      <!--Use http module to remove/customize IIS "Server" header-->
      <add name="CustomHeaderModule" type="Common.Web.Modules.Http.CustomHeaderModule" />
    </modules>
</system.webServer>

IMPORTANT NOTE1: This solution needs an application pool set as integrated;

IMPORTANT NOTE2: All responses within the web app will be affected by this (css and js included);

score 2 · Answer 15 · edited May 23 '17 at 10:31

2

Following up on eddiegroves' answer, depending on the version of URLScan, you may instead prefer RemoveServerHeader=1 under [options].

I'm not sure in which version of URLScan this option was added, but it has been available in version 2.5 and later.

edited May 23 '17 at 10:31

Community

1
1

answered Sep 02 '11 at 18:15

techtician

21
2

score 1 · Answer 16 · answered Jun 05 '18 at 13:53

I had researched this and the URLRewrite method works well. Can't seem to find the change scripted anywhere well. I wrote this compatible with PowerShell v2 and above and tested it on IIS 7.5.

# Add Allowed Server Variable
    Add-WebConfiguration /system.webServer/rewrite/allowedServerVariables -atIndex 0 -value @{name="RESPONSE_SERVER"}
# Rule Name
    $ruleName = "Remove Server Response Header"
# Add outbound IIS Rewrite Rule
    Add-WebConfigurationProperty -pspath "iis:\" -filter "system.webServer/rewrite/outboundrules" -name "." -value @{name=$ruleName; stopProcessing='False'}
#Set Properties of newly created outbound rule 
    Set-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST"  -filter "system.webServer/rewrite/outboundRules/rule[@name='$ruleName']/match" -name "serverVariable" -value "RESPONSE_SERVER"
    Set-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST"  -filter "system.webServer/rewrite/outboundRules/rule[@name='$ruleName']/match" -name "pattern" -value ".*"
    Set-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST"  -filter "system.webServer/rewrite/outboundRules/rule[@name='$ruleName']/action" -name "type" -value "Rewrite"

score 1 · Answer 17 · answered Jun 06 '19 at 09:55

1

You can add below code in Global.asax.cs file

    protected void Application_PreSendRequestHeaders()
    {
        Response.Headers.Remove("Server");
    }

answered Jun 06 '19 at 09:55

Dharmendra Kumar Sharma

11
1

score 1 · Answer 18 · answered Jul 08 '20 at 13:54

The solution proposed above in combination worked for me with following changes. Here I am posting my scenario and solution.

For me I wanted to remove the following headers:

Server
X-Powered-By
X-AspNet-Version
X-AspNetMvc-Version

I added these to my global.asax:

<%@ Application Language="C#" %>
<script runat="server">
    protected void Application_PreSendRequestHeaders()
    {
        Response.Headers.Remove("Server");
        Response.Headers.Remove("X-Powered-By");
        Response.Headers.Remove("X-AspNet-Version");
        Response.Headers.Remove("X-AspNetMvc-Version");
    }
</script>

The above event was not getting triggered, so for that I added following to web.config then it worked.

<modules runAllManagedModulesForAllRequests="true" />

and for removing version header I also added following to web.config:

<httpRuntime enableVersionHeader="false" />

Changes in web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true" />
    </system.webServer>
    <system.web>
        <httpRuntime enableVersionHeader="false" />
    </system.web>
</configuration>

Hope it helps!

score 0 · Answer 19 · edited Dec 05 '22 at 23:30

I tried all of the stuff here and on several other similar stack overflow threads.

I got hung up for a bit because I forgot to clear my browser cache after making config changes. If you don't do that and the file is in your local cache, it will serve it back to you with the original headers (duh).

I got it mostly working by removing the runAllManagedModulesForAllRequests:

<modules runAllManagedModulesForAllRequests="true">

This removed the extraneous headers from most of the static files but I still was getting the "Server" header on some static files in my WebAPI project in swagger.

I finally found and applied this solution and now all of the unwanted headers are gone:

https://www.dionach.com/en-au/blog/easily-remove-unwanted-http-headers-in-iis-7-0-to-8-5/

which discusses his code that is here:

https://github.com/Dionach/StripHeaders/releases/tag/v1.0.5

This is a Native-Code module. It is able to remove the Server header, not just blank out the value. By default it removes:

Server
X-Powered-By
X-Aspnet-Version
Server: Microsoft-HTTPAPI/2.0 -- which would be returned if "the request fails to be passed to IIS"

score 0 · Answer 20 · answered Sep 24 '19 at 13:06

IIS 7.5 and possibly newer versions have the header text stored in iiscore.dll

Using a hex editor, find the string and the word "Server" 53 65 72 76 65 72 after it and replace those with null bytes. In IIS 7.5 it looks like this:

4D 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 37 2E 35 00 00 00 53 65 72 76 65 72

Unlike some other methods this does not result in a performance penalty. The header is also removed from all requests, even internal errors.

Remove Server Response Header IIS7

20 Answers20

Linked