locked
How to remove Server Name "Microsoft-IIS/8.5" from HTTP headers? RRS feed

Answers

  • User-2140874079 posted

    @{Yuk Ding} I'm coming with new data.. Your advice was relevant and I found what is a problem - custom error pages.

    When I remove httpErrors elements from web.config, Server Name header isn't display in HTTP headers (in both cases - correct/incorrect webpage url).

    The question is how can I resolve this impasse? (I want to have custom error pages and remove Server Name header..)

    EDIT:

    Probably I've got solution - at httpError element should be added following attribute:

    <httpErrors errorMode="Custom" existingResponse="PassThrough">

    ps. Big thanks for Jan R from saotn.org webpage ( https://www.saotn.org/remove-iis-server-version-http-response-header/ ).

    Best
    AErot

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, September 12, 2016 7:53 AM

All replies

  • User-460007017 posted

    Hi AErot,

    I try the outbound rewrite rule on my side, it works fine with doesn’t exist page.

    You could compare your rewrite rule with my following script:

    <outboundRules>
                    <remove name="Remove Server header" />
                    <rule name="Remove Server header" enabled="true">
                        <match serverVariable="RESPONSE_Server" pattern=".+" />
                        <action type="Rewrite" />
                    </rule>
                </outboundRules>
    

    Besides, if you use the custom managed module instead of rewrite rule. The remove may doesn’t work because the module could only handle the request trough pipeline.

    Thirdly, you could enable the rewrite rule on the server node. So that  no response will be missed. 

    Best Regards,

    Yuk Ding

    Thursday, September 8, 2016 8:28 AM
  • User-2140874079 posted

    @{Yuk Ding} - thanks for your response.

    I tried your snippet code, but nothing is changed.. I would add that I set custom error pages (maybe it's important thing).

    HTTP Hedears Response:

    1. https://domain.tld

    {'accept-ranges': 'bytes', 'content-length': '881', 'content-encoding': 'gzip', 'x-powered-by': 'PHP/5.2.17', 'server': 'Apache', 'content-type': 'text/html', 'date': 'Fri, 09 Sep 2016 08:22:09 GMT', 'vary': 'Accept-Encoding', 'x-frame-options': 'DENY', 'last-modified': 'Wed, 31 Aug 2016 09:35:12 GMT'}

    2. https://domain.tld/asdf.html

    {'accept-ranges': 'bytes', 'content-length': '881', 'content-encoding': 'gzip', 'x-powered-by': 'PHP/5.2.17', 'server': 'Microsoft-IIS/8.5', 'content-type': 'text/html', 'date': 'Fri, 09 Sep 2016 08:28:34 GMT', 'vary': 'Accept-Encoding', 'x-frame-options': 'DENY', 'last-modified': 'Wed, 31 Aug 2016 09:35:12 GMT'}

    Below snippet of my config file:

    <system.webServer>
            <handlers>
                <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
                <remove name="OPTIONSVerbHandler" />
                <remove name="TRACEVerbHandler" />
                <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
            </handlers>
            <modules runAllManagedModulesForAllRequests="true" />
            <rewrite>
                <outboundRules>
                    <remove name="Remove Server header" />
                    <rule name="Remove Server header" enabled="true">
                        <match serverVariable="RESPONSE_SERVER" pattern=".+" />
                        <action type="Rewrite" value="Apache" />
                    </rule>
                </outboundRules>
                <rules>
                    <rule name="Redirect to HTTPS" stopProcessing="true">
                        <match url="(.*)" />
                        <conditions>
                            <add input="{HTTPS}" pattern="^OFF$" />
                            <add input="{WARMUP_REQUEST}" pattern="1" negate="true" />
                        </conditions>
                        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
                    </rule>
                </rules>
            </rewrite>
            <httpProtocol>
                <customHeaders>
                    <add name="X-Powered-By" value="PHP/5.2.17" />
                    <add name="X-Frame-Options" value="DENY" />
                </customHeaders>
            </httpProtocol>
            <httpErrors>
                <remove statusCode="500" subStatusCode="-1" />
                <remove statusCode="404" subStatusCode="-1" />
                <error statusCode="404" prefixLanguageFilePath="" path="/Error.html?404" responseMode="ExecuteURL" />
                <error statusCode="500" prefixLanguageFilePath="" path="/Error.html?500" responseMode="ExecuteURL" />
            </httpErrors>
            <staticContent>
                <clientCache setEtag="false" />
            </staticContent> 
        </system.webServer>

    ps. I can upload so screenshots with settings, but u should point me thing what I must dump..

    Regards
    AErot

    Friday, September 9, 2016 9:09 AM
  • User-460007017 posted

    Hi AErot,

    There might be something wrong with your module configurations.

    To rule out the factor, we may need to create a new website and add the outbound rewrite rule in it.

    Please test whether the outbound rule works fine with different sites in the same server.

    Besides, the script:

     runAllManagedModulesForAllRequests="true"

    may cause the request be handled by other module.

    Best Regards,

    Yuk  Ding

    Saturday, September 10, 2016 4:17 AM
  • User-2140874079 posted

    @{Yuk Ding} I'm coming with new data.. Your advice was relevant and I found what is a problem - custom error pages.

    When I remove httpErrors elements from web.config, Server Name header isn't display in HTTP headers (in both cases - correct/incorrect webpage url).

    The question is how can I resolve this impasse? (I want to have custom error pages and remove Server Name header..)

    EDIT:

    Probably I've got solution - at httpError element should be added following attribute:

    <httpErrors errorMode="Custom" existingResponse="PassThrough">

    ps. Big thanks for Jan R from saotn.org webpage ( https://www.saotn.org/remove-iis-server-version-http-response-header/ ).

    Best
    AErot

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Monday, September 12, 2016 7:53 AM
  • User-460007017 posted

    Hi AErot

    I'm glad that you could resolve the problem.

    Best Regards,

    Yuk Ding

    Friday, September 16, 2016 2:33 AM