none
How to rewrite HTTP response Server header from Reporting ServicesRSS RRS feed

  • Question

  • I am using SSRS 2016 for my report. And every time I access a report, the response always contains the IIS server information. I want to hide or rewrite this sensitive information from the HTTP response Server header (please see the attached image)

    Besides, Reporting Services uses Http.sys directly from the server’s operating system to accept requests directed to URLs and ports configured for Reporting Services. This architectural change allows Reporting Services to exist without IIS and provides the same functionality. So, the solution to use URLRewrite extension and create an outbound rule in IIS does not help in this case.

    Is there any way we can configure to hide/rewrite the HTTP response Server header in Reporting Services? Can we do it in Reporting Services Configuration Manager?

    SSRS response


    Wednesday, October 9, 2019 9:17 AM

All replies

  • Hi Phuc,

    Please follow the instruction in following Blog Article : Remove Unwanted HTTP Response Headers

    This should be able to resolve your issue.

    Regards,

    Lukas


    MSDN Community Support Please remember to click Mark as Answer; the responses that resolved your issue, and to click Unmark as Answer if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, October 10, 2019 5:56 AM
  • Thanks Lukas for taking your time to review my problem.

    I already read and applied the solution from the article, but it does not work in my case. That solution just works for responses returned from application which are hosted and handled by IIS server. However, my question here is Reporting Services (SSRS) which is hosted and handled by HTTP.sys, not IIS.

    Here is my result after applying the solution from your link. 

    Thursday, October 10, 2019 7:20 AM
  • Hi Phuc,

    Sorry for the misguiding, I overlooked the "SSRS2016" in your original post.

    So among the various approaches on Internet, a most reliable solution is to change the machine registry and I've tested it.

    Create or edit the registry "DisableServerHeader" (DWord) under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" with DWORD value of "2" to disable the server header from HTTP.SYS. After the registry change, reboot the server to let the chance go into effect.

    You could see the official doc here :Http.sys registry settings for Windows

    Hope this would help.

    Regards,

    Lukas


    MSDN Community Support Please remember to click Mark as Answer; the responses that resolved your issue, and to click Unmark as Answer if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.



    Thursday, October 10, 2019 9:43 AM
  • Hi Lukas,

    I have applied the solution, but it does not work.

    Here is my detail steps

    1- I created the registry "DisableServerHeader" (DWord) under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" with DWORD value of "2"

    2- Then I restarted the machine

    3- I accessed to Reporting service URL http://localhost/reportserver/ReportBuilder/ReportBuilder.application

    Actual results:
    - When I access the Reporting service page, it returned Service Unavailable page (If I delete the registry key and restart the machine, then I can access to the page normally)

    - Double check the response from SSRS, Server Header is still available

    Thursday, October 10, 2019 10:25 AM
  • I have resolved the Service Unavailable issue. After creating the registry key and restarting the machine, SSRS service will be stopped. I have to start it manually and the service back to be online now. However, the Server header is still exposed in the HTTP response even if the registry key "DisableServerHeader" = 2

    Thursday, October 10, 2019 10:38 AM
  • Hi Phuc,

    This is actually very weird, as you could read in the text I provide previously.  This "2" parameter should hide sever header for all apps that using Http.sys web server. 

    Have you double checked your register settings? Have you try this approach again?

    What is your window system edition?  It works for my Win10 and Windows Server 2012 R2 DataCenter. So I think it should be able to work for your case?

    You could ask .net core forum also for HTTP.SYS web server help.

    Regards,

    Lukas


    MSDN Community Support Please remember to click Mark as Answer; the responses that resolved your issue, and to click Unmark as Answer if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, October 14, 2019 3:26 AM