Why can't the "Server" Response Header be removed via web.config in IIS7?

Question

I know how to remove the Server response header with an HTTP Module based on the link above.

I just want to know why it is necessary to remove it this way.

score 9 · Answer 1 · answered May 19 '19 at 08:01

The following thing works for me:

In IIS 10.0 (Windows Server 2016/2019), you can remove the Server header by configuring requestFiltering in your web.config system.webServer node:

<security>
  <requestFiltering removeServerHeader ="true" />
</security>

This way you don’t have to fiddle with complex outbound rewrite rules.

To remove ASP.NET’s X-Powered-By header you still need the customHeaders section as mentioned above.

source: https://www.saotn.org/remove-iis-server-version-http-response-header/

score 8 · Accepted Answer · answered Jan 03 '11 at 15:41

8

The comments in Aristos link gives as good an answer to the Why.

It boils down to MS not wanting to easily let people modify this value. Whether for marketing or other purposes is open to interpretation.

One thing to take away from that discussion is that modifying the server header is not useful for any sort of security. There are a myriad of ways that you can detect exactly what kind (and version) of web server software is running.

Which leaves us with only one reason to do so: to save bytes. Unless you're running an extremely high traffic site this isn't a concern. If you are running a high traffic site then you are more than likely already running one or more custom modules.

answered Jan 03 '11 at 15:41

NotMe

87,343
27
171
245

2

Whilst removing it almost certainly falls into the class of "Security Theatre" rather than "Actual Security", it is very usual for penetration testing to require that extraneous header like this that identify the system configuration to be removed. – Owen Blacker Sep 17 '12 at 14:13
3

I develop mobile websites, I agree with the security argument, it really isn't security but contend that removing it for space saving is relevant for customers whose bandwidth is eaten up by needless data. Lets be good citizens of the networked world and respect our users and the infrastructure we depend upon. – Norman H May 10 '13 at 17:50
1

@OwenBlacker after years this post is here I care to disagree. Removing this header is not about preventing dedicated attacker from finding out what software is running. Removing header is measure to stop opportunistic drive by hacks that are ran by automated scripts. Finding hundreds of vulnerable web servers is much easier to do so when people leave this header on. – Mateusz Apr 26 '22 at 16:45
1

@Mateusz A fair point well made; you're right – Owen Blacker Apr 27 '22 at 17:53

score 2 · Answer 3 · answered Dec 28 '10 at 07:11

2

This example is not really remove the "server" header, just write something else on it.

A better title is "IIS7 how to send a custom "Server" http header". Read this similar article http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx

Now if you wondering why this way, this is not the only one way, you can go to your web server and just remove it from the initials headers.

If you wondering, why to use the IHttpModule + PreSendRequestHeader, because this is the way you grab the headers on the initial part and place first the "server" header before iis do that.

Hope this help.

answered Dec 28 '10 at 07:11

Aristos

66,005
16
114
150

1

Well, no. "How to send a custom 'Server' http header" isn't what I'm looking for...I already know how to do that. What I want to know is why it is necessary to do it in an HttpModule for "Server" but not for other headers which can be added/removed via web.config (``). – David Murdoch Dec 28 '10 at 13:18
@David this is something else you ask (and I am not sure to give answer at this moment), the answer to your main question is this I have write. – Aristos Dec 28 '10 at 20:03
1

in the question I asked: "`I just want to know why it is necessary to remove [the 'Server' header] this way.`" Thanks for you answer though! – David Murdoch Dec 28 '10 at 21:54

score 1 · Answer 4 · answered Jan 09 '18 at 16:11

You can also empty the value by adding an outboundRule in the web.config file in IIS 7+:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <outboundRules rewriteBeforeCache="true">
                <rule name="Remove Server header">
                    <match serverVariable="RESPONSE_Server" pattern=".+" />
                    <action type="Rewrite" value="" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

score 0 · Answer 5 · edited Nov 20 '15 at 16:45

0

Basic idea of removing those header are as follows

For security reason. it won't be easy to determine by the attacker about the software(version) and web server is backing the site.
It reduce the size of the data produce by the server end to browser.

Read more about Inspecting Http Response Headers

edited Nov 20 '15 at 16:45

user229044

232,980
40
330
338

answered Apr 30 '14 at 09:46

Shanaka Rathnayaka

2,462
1
23
23

score -3 · Answer 6 · edited May 23 '17 at 12:00

-3

Response.Headers.Set("Server", "My Awesome Server"); works fine in the Page code-behind, so long as your application pool is set to "Integrated Pipeline Mode."

Basically, IPM is specifically for the purpose of having the IIS pipeline be integrated with the ASP.NET pipeline to allow this kind of thing to be done. See Mehrdad Afshari's Answer for discussion.

edited May 23 '17 at 12:00

Community

1
1

answered Jan 03 '11 at 15:30

Brian

25,523
18
82
173

Why can't the "Server" Response Header be removed via web.config in IIS7?

6 Answers6