44

How can we remove the server header response in IIS 8.0/8.5?
My current server report: Microsoft-IIS/8.0 Microsoft-IIS/8.5
For IIS 7.0 I used the URLScan 3.1 however this is only supported for IIS 7.0 and not 8.x

Saurabh R S
  • 3,037
  • 1
  • 34
  • 44
BastianW
  • 2,628
  • 7
  • 29
  • 38
  • Were somewhat already answered [here](http://stackoverflow.com/a/12615970/1178314) – Frédéric Sep 15 '15 at 08:15
  • 2
    @Frederic, yes for IIS 7.0 BUT this thread here is for IIS 8.0/8.5 and URLScan is not supported there. – BastianW Sep 16 '15 at 17:04
  • The link directs to a URLRewrite solution, not URLScan. UrlRewrite works well under IIS 8 (and even better since an update has bring back its UI in IIS console; previously we had to set it up directly through web.config only). – Frédéric Sep 16 '15 at 17:09

8 Answers8

28

There is another solution and in my opinion this solution is the best and safe.

You can use UrlRewrite module created by the Microsoft. The Url Rewrite module redirects your url and can also change your IIS server name in the response header.

You don't have to use redirect property. You can use just change the Server header value.

Here are the steps:

  1. First, download UrlRewrite module from this link: http://www.iis.net/downloads/microsoft/url-rewrite and install it on your IIS server. After that, restart IIS by this command on cmd console

    iisreset /restart

  2. Add the following item to the your web config file under the <system.WebServer> tag. You can write anything to the Value item as server name.

    enter image description here

  3. Finally we changed the IIS version name on the data's header. Restart IIS again. via cmd console.

  4. Bonus: If you want to test your website to see if it is working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/

PS: I tested it and it worked for me on the IIS server. Not on the has been created temproray IIS server by the Visual studio.

Community
  • 1
  • 1
Mahmut EFE
  • 5,137
  • 5
  • 46
  • 56
  • 3
    The problem is, that URL Rewrites need server resources (e.g. CPU). So if you have a system which performs a lot of requests for example a Microsoft Exchange (EAS) server, then a URL rewrite might cause bad delays for your users... – BastianW Apr 14 '15 at 18:33
  • 2
    There is a better way now (at least in IIS 10+): https://stackoverflow.com/a/53225082/1671558 – Ilya Chernomordik Nov 09 '18 at 11:41
  • How to turn off Server Signature in IIS 8..?? – Abijith Ajayan Oct 31 '19 at 09:55
  • @AbijithAjayan There are too many features of "UrlRewrite" module. I strongly recommend it to play with it. – Mahmut EFE Nov 02 '19 at 14:23
  • 2
    It work for POST and GET request only ..server header still shows IIS version for PUT and TRACE METHOD – user3782114 Feb 12 '21 at 11:44
18

Add the below code in Global.asax.cs:

protected void Application_PreSendRequestHeaders() 
{
    // Remove the default Server header
    Response.Headers.Remove("Server");

    // Optionally, add your own Server header
    Response.AddHeader("Server", "My-App/1.0");
}

This has been tested to work under IIS 8.5 and 10.0.

Palec
  • 12,743
  • 8
  • 69
  • 138
Girish Arora
  • 181
  • 1
  • 2
  • This answer is the only answer that worked to remove the "Server" header for *.axd requests on IIS 8.5. Thank you! – Jonathan Harris Jun 30 '20 at 15:00
  • I need to support both IIS 10.0 and 8.5 and this is the solution for me. `` generates 500 responses and UrlRewrite module is an extra dependency. – Palec Sep 07 '22 at 20:25
  • This also works in IIS 8.0 (Windows Server 2012.) However, I found that using this technique on a site that has custom error handling and runAllManagedModulesForAllRequests="true" in the web.config resulted in ignoring all our custom error handlers and using the default IIS error pages (not good.) So I moved the Response.Headers.Remove() call to the Application_BeginRequest() method, and that worked fine without disrupting our error handling. – Jordan Rieger May 10 '23 at 23:46
16

It is possible now to remove Server header from web.config starting from IIS 10.0 :

<security>
  <requestFiltering removeServerHeader ="true" />
</security>

More details on how to remove all unwanted/unnecessary headers can be found here.

Please note that this hides server header from the "application", as do all the other approaches. If you e.g. reach some default page or an error page generated by the IIS itself or ASP.NET outside your application these rules won't apply. So ideally they should be on the root level in IIS and that sill may leave some error responses to the IIS itself.

Note there is a bug in IIS 10 that makes it sometimes show the header even with the modified config prior to 2019.1C. It should be fixed by now, but IIS/Windows has to be updated.

ti7
  • 16,375
  • 6
  • 40
  • 68
Ilya Chernomordik
  • 27,817
  • 27
  • 121
  • 207
12

Unfortunately most of the recommendations you will find online for removing the "Server" header in IIS will not work for IIS 8.0 and 8.5. I have found the only working option, and in my opinion, also the best, is to use an IIS Native-Code module.

Native-Code modules differ from the more common Managed modules, as they are written using the win32 APIs rather than ASP.NET. This means that they work for all requests (including static pages and images) rather than just requests that past though the ASP.NET pipeline. Using a Native-Code module, it is possible to remove unwanted headers at the very end of the request, meaning that you can remove headers (including the "Server" header) regardless of where they have been set.

Binaries and source code of an example Native-Code module for removing headers in IIS 7.0 to 8.5 are available in the following article.

https://www.dionach.com/en-au/blog/easily-remove-unwanted-http-headers-in-iis-7-0-to-8-5/

Devraj Gadhavi
  • 3,541
  • 3
  • 38
  • 67
ph1ll
  • 421
  • 3
  • 8
  • Works! But it may cause a _an unhandled win32 exception occurred in w3wp.exe_ error, solved [here](http://stackoverflow.com/a/31743322/1285846). – Danny Schoemann Dec 30 '15 at 16:17
  • The urlrewrite did not work for me in IIS 8.5. However it worked on my development machine with IIS 10. I have to implement it using only the web.config and not from server side code. – Balaji Birajdar Sep 27 '18 at 09:35
4

Just use clear tag in custom headers segment in web.config:

<system.webServer>
   <httpProtocol>
      <customHeaders>
           <clear />
            <add name="X-Custom-Name1" value="MyCustomValue1" />
            <add name="X-Custom-Name2" value="MyCustomValue2" />
      </customHeaders>
   </httpProtocol>
</system.webServer>

For dynamic headers, You can use this code in Global.ascx: 

protected void Application_PreSendRequestHeaders() 
   {
       Response.Headers.Remove("Server");
       Response.AddHeader("Sample1", "Value1");
   }
Mohsen Tavoosi محسن طاوسی
  • 644
  • 1
  • 7
  • 20
1

This is dead simple. Just create a custom module:

public class HeaderStripModule : IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.PreSendRequestHeaders += (sender, args) => HttpContext.Current.Response.Headers.Remove("Server");
    }

    public void Dispose(){}
}

And then register in web.config or applicationHost.config if you want machine wide implementation.

<system.webServer>
  <modules>
      <add name="HeaderStripModule" type="MyNamespace.HeaderStripModule" />
  </modules>
</system.webServer>
rism
  • 11,932
  • 16
  • 76
  • 116
  • 3
    [Presend events + IHttpModule is in the danger zone](http://www.asp.net/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet,-and-what-to-do-instead#presend) – felickz Jun 30 '15 at 14:20
  • 4
    Won't work on static content, unless runAllModulesForAllRequests is set, which is not a good thing performance wise. – Frédéric Sep 15 '15 at 08:12
  • 1
    This blog post offers remedy for numerous headers types but it too suggests url-scan for the `server` header which is no longer as helpful as it once was : http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html – rism Dec 13 '15 at 03:57
0

URLScan has been discontinued starting from IIS 7.5, since its functionalities are supposed to be available through "request filtering" option (feature added in IIS 7.5).

But the URLScan's 'Remove server header' option does not look like having any equivalent in "request filtering".

As said on this answer and this answer to you question, you can emptied the Server with URLRewrite instead, which remains available on IIS 8/8.5 (with some update required for having its UI in IIS administration console).

It turns out, looking at this blog, that URLScan can still be installed on IIS 8/8.5, if lack of official support is not an issue.

I have not tested myself. Here are the steps:

  • Install IIS 6 Metabase compatibility (if not already there)
  • Install Isapi Filters (if not already there)
  • Install URLScan (from download-able installer, not from web platform installer)
  • Configure URLScan through its ini file (by default in C:\Windows\System32\inetsrv\urlscan)

Maybe some iisreset or even a reboot should be done. URLScan should be visible in IIS among Isapi filters

Community
  • 1
  • 1
Frédéric
  • 9,364
  • 3
  • 62
  • 112
-5

In IIS Manager, at the server level, go to the Features view. Click on HTTP Response Headers. You can add/remove headers there. You can also manage the response headers at the site level as well.

HyperScripts
  • 101
  • 1
  • 1
  • 4