0

I need to remove server banner on my website. So far I have tried the following solutions which mainly points on editing web.config and using urlscan/urlrewrite:

Remove Server Response Header IIS7

Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan headers-in-azure-iis7-without

Remove Server Response Header IIS7

Disabling IIS Server Response Headers in Case of 404 and 302 Files

These threads provided solutions to remove server banner but on instances of http server response 200 only. These does not remove server banners in instances of server response 302/400/500 just like the below response.

HTTP/1.1 400 Internal Server Error
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Content-Length: 0

Can someone redirect me on possible solutions? Thanks!

niconnex
  • 21
  • 6
  • You might get some very basic ideas from https://blog.lextudio.com/everything-you-might-need-about-iis-server-header-58ca268547be – Lex Li Jun 16 '21 at 05:46
  • Thanks @LexLi I have tried the suggestions in your blog but its still showing the server header. :( – niconnex Jun 16 '21 at 09:44
  • Your link contains all the methods to remove the Server Response Header. They should work. Can you show me how you tried it? For example, how did you create a url rewrite rule to remove the Server Response Header? – samwu Jun 17 '21 at 08:39
  • Hello @samwu, i tried url rewrite again, but instead of editing the config manually and adding the same config from the solutions on the above links. I followed this link instead and it worked: https://improveandrepeat.com/2020/01/how-to-remove-the-server-header-in-iis-8-5/ which is weird. – niconnex Jun 17 '21 at 14:37

1 Answers1

0

This issue is mainly because the response is not being sent by the IIS server.

Since it is a bad request (400), the HTTP service itself is responding to it - rather than forwarding it to IIS. Therefore the request never made it to IIS.

To fix this you need to make modifications in Windows registry for HTTP service itself.

Follow these steps to do so

  1. Open regedit
  2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
  4. Reboot the server OR restart the HTTP service by calling net stop http then net start http
Anirudh Duggal
  • 93
  • 12