Remove the Server Header in any IIS Version
By Pete Freitag
Removing the Server Header as of IIS 10 (the version of IIS installed by default on Windows Server 2016, 2019 or 2022) is now much easier than it had been with prior versions of IIS. By default IIS will return a HTTP response header like this:
Server: Microsoft-IIS/10.0
This tells everyone that your server is running IIS, and more specifically version 10 of IIS, and for that reason it is a good idea to remove it. The Request Filtering module in IIS now has an option to remove the server header. You can either do it at the site level or server wide level.
Remove Server Header at IIS Site Level in IIS 10
To remove the server header from IIS at the site level, you can add the removeServerHeader="true"
attribute to the requestFiltering
tag in your web.config file:
<system.webServer> <security> <requestFiltering removeServerHeader="true"> <!-- other request filtering stuff --> </requestFiltering> </security> </system.webServer>
If you don't prefer to edit the web.config
file manually, then you can use the technique below for removing it server wide.
Remove the IIS Server Header Server Wide in IIS 10
To remove the IIS server header globally (for all sites on the server) open on the root node in the IIS Management Console tree, this is usually labeled with the machine or computer name. Then double click on the Configuration Editor, and paste the following into the section dropdown:
system.webServer/security/requestFiltering
On the request filtering configuration editor you will find a setting named removeServerHeader, set that to True, and click Apply to safe the configuration. You won't need to restart IIS, the server header will be removed right away for all subsequent requests to the server.
Removing the Microsoft-HTTPAPI Server Header
On occasion you may find the IIS will return a server header that looks like this:
Server: Microsoft-HTTPAPI/2.0
This is the response that Microsoft's http.sys module returns. In my experience I find that this typically only happens when there is a bad request, eg something that typically returns a HTTP 400 status code.
A few scenarios where you might see the Microsoft-HTTPAPI/2.0
server header are:
- Request URI contains characters that are not allowed
- The Host name header value in the request, is not mapped to a web site binding in IIS
To remove this header, you have to set a registry key: DisableServerHeader
to 1
under HKLM\ SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Unfortunately the new request filtering removeServerHeader
setting won't prevent the Microsoft-HTTPAPI/2.0
server header from being returned.
Removing the Server Header on Older Versions of IIS
If you are running a version of IIS earlier than version 10, you might get an error like this:
500.19 Unrecognized attributes removeServerHeader
Now if you are running an older version of IIS that means you are probably running Windows 2012 or earlier. Windows Server 2012 has reached end of life (EOL) as of October 2023, so Microsoft no longer provides security patches for it. So it might be well past time to update the server. If you are trying to remove the server header for security purposes, then keep in mind running an EOL software is a much larger security risk than the disclosing the server header.
There have been many different ways to remove the server header over the years, and for various versions of IIS. I had blogged several of them over time, but I'll try to summarize them here.
Rewrite Server Header on IIS 8 or Above
On IIS 8 you can use the Microsoft URL Rewrite Module to create an outbound rule to rewrite the Server
header to a value of your choosing.
Precondition: <None>
Matching scope: Server Variable
Variable name: RESPONSE_Server
Variable value: Matches the Pattern
Using: Regular Expressions
Pattern: .*
Action type: Rewrite
Value: Whatever you want your server header to be.
This technique doesn't remove the header, but it can rewrite it with whatever value you'd like.
Remove Server Header on IIS 7 and Below
Another option for IIS 7-8.5 is the StripHeaders IIS module. You can find the source code here, and binaries here.
For even older versions of IIS you can use Microsoft's URLScan tool, the latest version of this tool only supports up to IIS 7 (though it may still work on later versions, it is basically abandonware at this point). The link to this tool no longer works. Again though if you are on such an old version of Windows or IIS, you should really begin to have some larger questions about why you are still on an EOL version, rather than just hiding the server header.
Remove the Server Header in any IIS Version was first published on December 05, 2023.
If you like reading about iis, request filtering, security, or headers then you might also like:
- Request Filtering in IIS
- Timing Attacks and the Timing-Allow-Origin Header
- SameSite Cookies with IIS
- Blocking .svn and .git Directories on Apache or IIS
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).
Comments
We've test for the IIS "Microsoft-HTTPAPI/2.0" HTTP response header by using the following CURL with invalid param:
curl -v http://mywebsite.local/ -H "Range: bytes=00-18446744073709551615"
https://stackoverflow.com/a/48619803/693068