cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Remove Unwanted HTTP Response Headers
By
Enamul Khaleque
Published Mar 14 2019 12:04 PM 431K Views
Enamul Khaleque
Microsoft
‎Mar 14 2019 12:04 PM

Remove Unwanted HTTP Response Headers

‎Mar 14 2019 12:04 PM

The purpose of this blog post is to discuss how to remove unwanted HTTP response headers from the response. Typically we have 3 response headers which many people want to remove for security reasons.

  • Server Header - Specifies web server version.
  • X-Powered-By - Indicates that the website is "powered by ASP.NET."
  • X-AspNet-Version - Specifies the version of ASP.NET used.

Before you go any further, you should evaluate whether or not you need to remove these headers. If you would like to go ahead and remove the headers then follow the following options.

 

Server Header

There are three ways to remove the Server header from the response. The best one is to use the third option.

 

1. Using the Registry key.

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

Registry 2023-03-02 083932.jpg

After adding the Registry key, restart the HTTP service using the net stop http command and the net start http command. If the HTTP service doesn’t start up then use the iisreset command. If that also doesn’t work then you can restart the server. Please note that this method is used only when the Server header comes as “Microsoft-HTTPAPI/2.0”. When the request comes to IIS, it first goes to http.sys driver. HTTP.SYS driver either handles the request on its own or sends it to User mode for further processing. When the request goes to User mode that’s the time it returns the server header as “Microsoft-IIS/7.5.”. However when the request returns from the HTTP.SYS driver then the server header comes as “Microsoft-HTTPAPI/2.0”. By placing the above registry key it will remove this specific header. If you would like to remove the Server header as “Microsoft-IIS/7.5.”, then follow the following methods.

 

2. Using the URLScan tool.

Install the URLScan on your machine. Please follow the following link for that

http://www.iis.net/downloads/microsoft/urlscan

After installing URLScan, open the URLScan.ini file typically located in the %WINDIR%\System32\Inetsrv\URLscan folder. After opening it, search for the key RemoveServerHeader . By default it is set to 0, but to remove the Server header, change the value to 1. Doing so will remove the Server header Server: Microsoft-IIS/7.5 from the User mode response.6403.image_7C9544BE.png

Please note that changes made by URLScan at the global level apply to all of your sites. If you would like to setup this for a particular site then look at the following article (site filter section)

http://www.iis.net/learn/extensions/working-with-urlscan/urlscan-setup

 

3. Using URLRewrite

If you don’t want to go with URLScan, you can use the URLRewrite module to remove the value of the Server header. Please note that it will not remove the header altogether but it will remove the value of it.

Step 1. Install URLRewrite. To install the URLRewrite please go to the following link

http://www.iis.net/downloads/microsoft/url-rewrite

Step 2. Open the site on which you would like to remove the Server header and click on the URLRewrite section.2185.image_69446852.png

 

Step 3. Click on the “View Server Variables” in the Actions pane in the right-hand side.7220.image_52557109.png

 

Step 4. Click on the Add button and then enter “RESPONSE_SERVER” in the textbox provided.6562.image_21870933.png

 

Step 5. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link

http://www.iis.net/learn/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-modul...

Step 6. Create an Outbound rule as the following.5756.image_036485DD.png

Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third-party applications, may require the Server header, so you may need to remove this rule for those applications.

 

X-Powered-By

There are two ways to remove this header as well. The second method would be the preferred one.

1. Using IIS HTTP Response headers.

Open the site which you would like to open and then click on the HTTP Response Headers option.

  7824.image_5FE7E177.png

 

Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response.8311.image_73D14E40.png

 

2. Using URLRewite Rule.

Please note that it will not remove the header altogether but it will remove the value of it.

Step 1. Install URLRewrite. To install the URLRewrite please go to the following link

http://www.iis.net/downloads/microsoft/url-rewrite

Step 2. Open the site on which you would like to remove the X-Powered-By header and Click on the URLRewrite section.8233.image_65462C4E.png

 

Step 3. Click on the “View Server Variables” in the Actions pane in the right-hand side.5287.image_2B2739A2.png

Step 4. Click on the Add button and then enter “RESPONSE_X-POWERED-BY” in the textbox provided.2451.image_44F387CB.png

 

Step 5. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link

http://www.iis.net/learn/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-modul...

 

Step 6. Create an Outbound rule as the following2620.image_16B2203A.png

 

Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third-party applications, may require the x-powered-by header, so you may need to remove this rule for those applications.

 

X-AspNet-Version

There are two ways to remove this header as well. The preferred one is the first one.

1. Using the httpRuntime element.

Add the following line in your web.config in the <system. Web> section

 

<httpRuntime enableVersionHeader="false" />

 

2. Using an URLRewite rule.

Please note that it will not remove the header altogether but it will remove the value of it.

Step 1. Install URLRewrite. To install the URLRewrite please go to the following link

http://www.iis.net/downloads/microsoft/url-rewrite

Step 2. Open the site on which you would like to remove the Server header and go to the URLRewrite section.7762.image_53F20311.png

 

Step 3. Click on the “View Server Variables” in the Actions pane in the right-hand side.1423.image_67DB6FDA.pngStep 4. Click on the Add button and then enter “RESPONSE_X-ASPNET-VERSION” in the textbox provided.4428.image_087B1321.png

Step 5. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link

http://www.iis.net/learn/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-modul...

Step 6. Create an Outbound rule as the following.

6116.image_5FD3A7AB.png

 

Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third-party applications, may require the x-aspnet-version header, so you may need to remove this rule for those applications.

 

Author: Mathur Varun (MSFT)

Tech Reviewed by: Enamul Khaleque (MSFT)

 

10 Comments
Sujitha0212
Copper Contributor
‎Jul 25 2019 01:43 AM
‎Jul 25 2019 01:43 AM

I tried by setting the registry key of Disable HTTP Header to 1. But the server name was coming in response. I then changed the registry key to 2 and then the issues was fixed and server name was not coming in response. 

0 Likes
Like
Enamul Khaleque
Microsoft
‎Jul 25 2019 03:26 PM
‎Jul 25 2019 03:26 PM

@Sujitha0212 This method works only when the Server header comes as “Microsoft-HTTPAPI/2.0”. It takes value 0 (don't disable server header) or non-zero(disable server header). 1 or 2 or any value greater than zero should have the same affect. It's quite strange why a value of 2 worked but 1 did not. Thanks for sharing the info!

0 Likes
Like
BJNeu
Copper Contributor
‎Aug 29 2019 04:56 AM
‎Aug 29 2019 04:56 AM

Well, in the "Internet Information Services" - management console I switched to "HTTP Response Headers" and added "Server"-Value "Webserver" which overrides the "Microsoft-IIS/10.0" with "Webserver".

That easy...

EDIT: or you add this manually (caution!) to C:\Windows\System32\inetsrv\config\applicationHost.config

...
 <httpProtocol>
  <customHeaders>
   <clear />
   <add name="Server" value="Webserver" />
  </customHeaders>
 </httpProtocol>
</system.webServer>
...

 

BJNeu
Copper Contributor
‎Aug 29 2019 05:04 AM
‎Aug 29 2019 05:04 AM

And, you could do this per web-app within the web.config file:

<configuration>
 <system.webServer>
  <httpProtocol>
   <customHeaders>
    <clear/>
    <add name="Server" value="SubServer or whatever"/>
   </customHeaders>
  </httpProtocol>
 </system.webServer>
</configuration>

 

abubakarriaz
Copper Contributor
‎Sep 08 2020 05:50 AM
‎Sep 08 2020 05:50 AM

it works fine on 200 status code
on 400 error, server header shows "Microsoft-HTTPAPI/2.0"
on 404 error, server header still shows "Microsoft-IIS/8.5"
on 200, server header shows "Unknown" as per my value in rewrite module.
my registry entry is DisableServerHeader = 1
why it is not working? I am using windows server 2012 R2 with IIS 8.5

Enamul Khaleque
Microsoft
‎Feb 15 2022 11:14 AM
‎Feb 15 2022 11:14 AM

@abubakarriaz A server reboot is generally needed after changing the registry that impacts a kernel mode driver. Let's reboot and test it again.

0 Likes
Like
abubakarriaz
Copper Contributor
‎Feb 16 2022 07:26 AM
‎Feb 16 2022 07:26 AM

thanks @Enamul Khaleque, but I restarted many times still same results. Eventually I let it go and convinced my InfoSec team that dev team will be responsible of any security breach due to this reason. :( not good i know. but we have since then upgraded to new VM with win 2019 and IIS 10. Its so much easy to hide server headers in latest windows servers. 

0 Likes
Like
JaxPlanet
Brass Contributor
‎May 05 2023 12:57 PM
‎May 05 2023 12:57 PM

None of this worked, including the suggestions.  However, BJNeu's suggestion did create the "server: webserver" entry but it did not remove the "server: Microsoft-IIS/10.0" entry so the server is still revealing its platform and failing PCI scans.

AlexNunley
Copper Contributor
‎Jul 17 2023 01:20 PM
‎Jul 17 2023 01:20 PM

@JaxPlanet Did you ever find a resolution? we are using Nessus and getting flagged by plugin 88099. Similar to your narrative, traffic on tcp/80 with 403 is still showing the IIS/10 header. Custom headers add, do not overwrite, HTTP Service registry entry doesn't change anything either. Hoping you have come across something.. 

0 Likes
Like
mmuneebali
Copper Contributor
‎Aug 11 2023 04:01 AM
‎Aug 11 2023 04:01 AM

Removing Server Header using Registry key worked for me on Windows Server 2019 and IIS 10.

0 Likes
Like
Co-Authors
Version history
Last update:
‎Mar 02 2023 07:32 AM
Updated by: