How to remove Server Name "Microsoft-IIS/8.5" from HTTP headers?

Question

User-2140874079 posted

Hello everyone,

I've changed server name according to steps described in this thread ( http://forums.iis.net/t/1226447.aspx?How+to+remove+Server+Microsoft+IIS+8+5+header+banner+in+IIS )

At the first glance all seems be well, I receive modified http headers, but when I send request to doesn't exists page (and server will return 404 webpage) server name is 'IIS 8.5' in the HTTP headers..

Thank you for your interest in topic.

Regards,
AErot

Answer 1

User-460007017 posted

Hi AErot,

I try the outbound rewrite rule on my side, it works fine with doesn’t exist page.

You could compare your rewrite rule with my following script:

<outboundRules>
                <remove name="Remove Server header" />
                <rule name="Remove Server header" enabled="true">
                    <match serverVariable="RESPONSE_Server" pattern=".+" />
                    <action type="Rewrite" />
                </rule>
            </outboundRules>

Besides, if you use the custom managed module instead of rewrite rule. The remove may doesn’t work because the module could only handle the request trough pipeline.

Thirdly, you could enable the rewrite rule on the server node. So that  no response will be missed. 

Best Regards,

Yuk Ding

Answer 2

User-2140874079 posted

@{Yuk Ding} - thanks for your response.

I tried your snippet code, but nothing is changed.. I would add that I set custom error pages (maybe it's important thing).

HTTP Hedears Response:

1. https://domain.tld

{'accept-ranges': 'bytes', 'content-length': '881', 'content-encoding': 'gzip', 'x-powered-by': 'PHP/5.2.17', 'server': 'Apache', 'content-type': 'text/html', 'date': 'Fri, 09 Sep 2016 08:22:09 GMT', 'vary': 'Accept-Encoding', 'x-frame-options': 'DENY', 'last-modified': 'Wed, 31 Aug 2016 09:35:12 GMT'}

2. https://domain.tld/asdf.html

{'accept-ranges': 'bytes', 'content-length': '881', 'content-encoding': 'gzip', 'x-powered-by': 'PHP/5.2.17', 'server': 'Microsoft-IIS/8.5', 'content-type': 'text/html', 'date': 'Fri, 09 Sep 2016 08:28:34 GMT', 'vary': 'Accept-Encoding', 'x-frame-options': 'DENY', 'last-modified': 'Wed, 31 Aug 2016 09:35:12 GMT'}

Below snippet of my config file:

<system.webServer>
        <handlers>
            <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
            <remove name="OPTIONSVerbHandler" />
            <remove name="TRACEVerbHandler" />
            <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
        </handlers>
        <modules runAllManagedModulesForAllRequests="true" />
        <rewrite>
            <outboundRules>
                <remove name="Remove Server header" />
                <rule name="Remove Server header" enabled="true">
                    <match serverVariable="RESPONSE_SERVER" pattern=".+" />
                    <action type="Rewrite" value="Apache" />
                </rule>
            </outboundRules>
            <rules>
                <rule name="Redirect to HTTPS" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                        <add input="{WARMUP_REQUEST}" pattern="1" negate="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
                </rule>
            </rules>
        </rewrite>
        <httpProtocol>
            <customHeaders>
                <add name="X-Powered-By" value="PHP/5.2.17" />
                <add name="X-Frame-Options" value="DENY" />
            </customHeaders>
        </httpProtocol>
        <httpErrors>
            <remove statusCode="500" subStatusCode="-1" />
            <remove statusCode="404" subStatusCode="-1" />
            <error statusCode="404" prefixLanguageFilePath="" path="/Error.html?404" responseMode="ExecuteURL" />
            <error statusCode="500" prefixLanguageFilePath="" path="/Error.html?500" responseMode="ExecuteURL" />
        </httpErrors>
        <staticContent>
            <clientCache setEtag="false" />
        </staticContent> 
    </system.webServer>

ps. I can upload so screenshots with settings, but u should point me thing what I must dump..

Regards
AErot

Answer 3

User-460007017 posted

Hi AErot，

There might be something wrong with your module configurations.

To rule out the factor, we may need to create a new website and add the outbound rewrite rule in it.

Please test whether the outbound rule works fine with different sites in the same server.

Besides, the script:

 runAllManagedModulesForAllRequests="true"

may cause the request be handled by other module.

Best Regards,

Yuk  Ding

Answer 4

User-2140874079 posted

@{Yuk Ding} I'm coming with new data.. Your advice was relevant and I found what is a problem - custom error pages.

When I remove httpErrors elements from web.config, Server Name header isn't display in HTTP headers (in both cases - correct/incorrect webpage url).

The question is how can I resolve this impasse? (I want to have custom error pages and remove Server Name header..)

EDIT:

Probably I've got solution - at httpError element should be added following attribute:

<httpErrors errorMode="Custom" existingResponse="PassThrough">

ps. Big thanks for Jan R from saotn.org webpage ( https://www.saotn.org/remove-iis-server-version-http-response-header/ ).

Best
AErot

Answer 5

User-460007017 posted

Hi AErot

I'm glad that you could resolve the problem.

Best Regards,

Yuk Ding