locked
http.sys response header RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-440682272 posted

    The IIS http.sys kernel driver intervenes to block possible malicious URLs, for example this URL https://domain.ext/%2E%2E%2fconsole.portal is blocked with issuing a 403 error (Forbidden URL).

    Is it possible to somehow control the HTTP response headers issued by http.sys? At the moment the http.sys documentation states that you can only check the Server header https://docs.microsoft.com/en-us/troubleshoot/iis/httpsys-registry-windows

    I'm currently using IIS10 on Windows Server 2019.

    Sunday, January 24, 2021 9:28 PM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User1065476709 posted

    Hi maxmayer,

    The IIS http.sys kernel driver intervenes to block possible malicious URLs, for example this URL https://domain.ext/%2E%2E%2fconsole.portal is blocked with issuing a 403 error (Forbidden URL).

    Is it possible to somehow control the HTTP response headers issued by http.sys?

    Do  you want to block the url by http response headers? if so, you can use the url rewrite rule.

    1. Install the IIS URL Rewrite.

    2. Open the site on which you would like to remove the X-Powered-By header and Click on the URLRewrite section.

    3. Click on the “View Server Variables” in the Actions pane in the right hand side.

    4. Click on the Add button and then enter “RESPONSE_X-POWERED-BY” in the textbox provided.

    6. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link: Creating Outbound Rules for URL Rewrite Module

    7. Create an Outbound rule as the following: 

    Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. 

    Best regards,

    Sam

    Tuesday, January 26, 2021 2:19 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-440682272 posted

    Thanks for the reply. 

    I actually want to control the HTTP response headers set by http.sys.

    Furthermore, the URL rewrite engine has no control on the http.sys response. 

    Tuesday, January 26, 2021 2:33 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1065476709 posted

    Hi maxmayer,

    I actually want to control the HTTP response headers set by http.sys.

    Furthermore, the URL rewrite engine has no control on the http.sys response. 

    Otherwise, it seems impossible to do it.

    Best regards,

    Sam

    Tuesday, January 26, 2021 2:50 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User690216013 posted

    Is it possible to somehow control the HTTP response headers issued by http.sys? At the moment the http.sys documentation states that you can only check the Server header https://docs.microsoft.com/en-us/troubleshoot/iis/httpsys-registry-windows

    To make a reliable driver like http.sys, it has to be kept simple and without many settings. So what you observed is what you can use, and that does not meet your needs.

    People usually set up a reverse proxy in front, such as NGINX Plus, where headers can be modified as you wished, https://www.nginx.com/blog/reverse-proxy-using-nginx-plus/#passing-request-headers 

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Tuesday, January 26, 2021 5:30 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-440682272 posted

    in essence you are confirming what I already suspected, it cannot be done with IIS and this is such a limitation that one of the suggestions is to use another type of server (it is actually the only viable suggestion)

    Tuesday, January 26, 2021 6:49 PM