Login/Register
Remove Server Response Header IIS 8.0 / 8.5
Asked Answered
iishttp-headershttpresponse
G

9

44

How can we remove the server header response in IIS 8.0/8.5?
My current server report: Microsoft-IIS/8.0 Microsoft-IIS/8.5
For IIS 7.0 I used the URLScan 3.1 however this is only supported for IIS 7.0 and not 8.x

Gd answered 14/3, 2014 at 9:41 Comment(3)
Were somewhat already answered hereLegman
@Frederic, yes for IIS 7.0 BUT this thread here is for IIS 8.0/8.5 and URLScan is not supported there.Gd
The link directs to a URLRewrite solution, not URLScan. UrlRewrite works well under IIS 8 (and even better since an update has bring back its UI in IIS console; previously we had to set it up directly through web.config only).Legman
C
28

There is another solution and in my opinion this solution is the best and safe.

You can use UrlRewrite module created by the Microsoft. The Url Rewrite module redirects your url and can also change your IIS server name in the response header.

You don't have to use redirect property. You can use just change the Server header value.

Here are the steps:

  1. First, download UrlRewrite module from this link: http://www.iis.net/downloads/microsoft/url-rewrite and install it on your IIS server. After that, restart IIS by this command on cmd console

    iisreset /restart

  2. Add the following item to the your web config file under the <system.WebServer> tag. You can write anything to the Value item as server name.

    enter image description here

  3. Finally we changed the IIS version name on the data's header. Restart IIS again. via cmd console.

  4. Bonus: If you want to test your website to see if it is working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/

PS: I tested it and it worked for me on the IIS server. Not on the has been created temproray IIS server by the Visual studio.

Cauterize answered 1/4, 2015 at 8:36 Comment(5)
The problem is, that URL Rewrites need server resources (e.g. CPU). So if you have a system which performs a lot of requests for example a Microsoft Exchange (EAS) server, then a URL rewrite might cause bad delays for your users...Gd
There is a better way now (at least in IIS 10+): https://mcmap.net/q/182087/-remove-server-response-header-iis-8-0-8-5Shawnee
How to turn off Server Signature in IIS 8..??Eran
@AbijithAjayan There are too many features of "UrlRewrite" module. I strongly recommend it to play with it.Cauterize
It work for POST and GET request only ..server header still shows IIS version for PUT and TRACE METHODBarren
R
18

Add the below code in Global.asax.cs:

protected void Application_PreSendRequestHeaders() 
{
    // Remove the default Server header
    Response.Headers.Remove("Server");

    // Optionally, add your own Server header
    Response.AddHeader("Server", "My-App/1.0");
}

This has been tested to work under IIS 8.5 and 10.0.

Rennin answered 4/6, 2018 at 12:24 Comment(3)
This answer is the only answer that worked to remove the "Server" header for *.axd requests on IIS 8.5. Thank you!Insensate
I need to support both IIS 10.0 and 8.5 and this is the solution for me. <requestFiltering removeServerHeader="true"> generates 500 responses and UrlRewrite module is an extra dependency.Vollmer
This also works in IIS 8.0 (Windows Server 2012.) However, I found that using this technique on a site that has custom error handling and runAllManagedModulesForAllRequests="true" in the web.config resulted in ignoring all our custom error handlers and using the default IIS error pages (not good.) So I moved the Response.Headers.Remove() call to the Application_BeginRequest() method, and that worked fine without disrupting our error handling.Senhorita
S
16

It is possible now to remove Server header from web.config starting from IIS 10.0 :

<security>
  <requestFiltering removeServerHeader ="true" />
</security>

More details on how to remove all unwanted/unnecessary headers can be found here.

Please note that this hides server header from the "application", as do all the other approaches. If you e.g. reach some default page or an error page generated by the IIS itself or ASP.NET outside your application these rules won't apply. So ideally they should be on the root level in IIS and that sill may leave some error responses to the IIS itself.

Note there is a bug in IIS 10 that makes it sometimes show the header even with the modified config prior to 2019.1C. It should be fixed by now, but IIS/Windows has to be updated.

Shawnee answered 9/11, 2018 at 11:40 Comment(1)
Most efficient approach if you're using IIS 10+Kandace
D
12

Unfortunately most of the recommendations you will find online for removing the "Server" header in IIS will not work for IIS 8.0 and 8.5. I have found the only working option, and in my opinion, also the best, is to use an IIS Native-Code module.

Native-Code modules differ from the more common Managed modules, as they are written using the win32 APIs rather than ASP.NET. This means that they work for all requests (including static pages and images) rather than just requests that past though the ASP.NET pipeline. Using a Native-Code module, it is possible to remove unwanted headers at the very end of the request, meaning that you can remove headers (including the "Server" header) regardless of where they have been set.

Binaries and source code of an example Native-Code module for removing headers in IIS 7.0 to 8.5 are available in the following article.

https://www.dionach.com/en-au/blog/easily-remove-unwanted-http-headers-in-iis-7-0-to-8-5/

Drill answered 11/4, 2014 at 12:30 Comment(2)
Works! But it may cause a an unhandled win32 exception occurred in w3wp.exe error, solved here.Nigro
The urlrewrite did not work for me in IIS 8.5. However it worked on my development machine with IIS 10. I have to implement it using only the web.config and not from server side code.Hime
S
4

Just use clear tag in custom headers segment in web.config:

<system.webServer>
   <httpProtocol>
      <customHeaders>
           <clear />
            <add name="X-Custom-Name1" value="MyCustomValue1" />
            <add name="X-Custom-Name2" value="MyCustomValue2" />
      </customHeaders>
   </httpProtocol>
</system.webServer>

For dynamic headers, You can use this code in Global.ascx: 

protected void Application_PreSendRequestHeaders() 
   {
       Response.Headers.Remove("Server");
       Response.AddHeader("Sample1", "Value1");
   }
Sassan answered 13/9, 2016 at 14:14 Comment(5)
Would this not prevent the use of ANY custom header though?Flaming
@Flaming No! You can add any custom header you want after clear tag.See edited answerImmoderacy
Oh sure, but if the header is dynamic then it will be wiped?Flaming
Yes! For dynamic headers you should use Response.Headers.Remove("Server"); in Application_PreSendRequestHeaders in Global.ascxImmoderacy
Adding "customHeaders" does not work for me (IIS 8.0). It just adds a second "Server" header, and keeps the original "Server" headerRichly
F
1

This is dead simple. Just create a custom module:

public class HeaderStripModule : IHttpModule
{
    public void Init(HttpApplication application)
    {
        application.PreSendRequestHeaders += (sender, args) => HttpContext.Current.Response.Headers.Remove("Server");
    }

    public void Dispose(){}
}

And then register in web.config or applicationHost.config if you want machine wide implementation.

<system.webServer>
  <modules>
      <add name="HeaderStripModule" type="MyNamespace.HeaderStripModule" />
  </modules>
</system.webServer>
Flaming answered 11/5, 2015 at 6:6 Comment(3)
Presend events + IHttpModule is in the danger zoneHirsch
Won't work on static content, unless runAllModulesForAllRequests is set, which is not a good thing performance wise.Legman
This blog post offers remedy for numerous headers types but it too suggests url-scan for the server header which is no longer as helpful as it once was : troyhunt.com/2012/02/shhh-dont-let-your-response-headers.htmlFlaming
G
0

URLScan has been discontinued starting from IIS 7.5, since its functionalities are supposed to be available through "request filtering" option (feature added in IIS 7.5).

But the URLScan's 'Remove server header' option does not look like having any equivalent in "request filtering".

As said on this answer and this answer to you question, you can emptied the Server with URLRewrite instead, which remains available on IIS 8/8.5 (with some update required for having its UI in IIS administration console).

It turns out, looking at this blog, that URLScan can still be installed on IIS 8/8.5, if lack of official support is not an issue.

I have not tested myself. Here are the steps:

  • Install IIS 6 Metabase compatibility (if not already there)
  • Install Isapi Filters (if not already there)
  • Install URLScan (from download-able installer, not from web platform installer)
  • Configure URLScan through its ini file (by default in C:\Windows\System32\inetsrv\urlscan)

Maybe some iisreset or even a reboot should be done. URLScan should be visible in IIS among Isapi filters

Glycerite answered 16/9, 2015 at 18:39 Comment(0)
M
0
After publishing add this in web.config file.
 ` <httpProtocol>
  <customHeaders>
  <clear />
  <add name="X-Powered-By" value="GiveYourValue" />
  </customHeaders>
   </httpProtocol>
    </system.webServer>
  </location>
</configuration>`
Mcelhaney answered 31/10, 2023 at 11:26 Comment(0)
T
-5

In IIS Manager, at the server level, go to the Features view. Click on HTTP Response Headers. You can add/remove headers there. You can also manage the response headers at the site level as well.

Ticket answered 6/11, 2015 at 13:54 Comment(2)
The question is specifically about the Server header. Your answer only addresses X-powered etc. You cannot remove Server via HTTP Response HeadersFlaming
@Flaming See my answer.Immoderacy

© 2022 - 2025 — McMap. All rights reserved.