Change or modify a Response Header value using URL Rewrite


If you have ever used a tool that allows you to view the request and response headers, you certainly know that there is some information being pased back and forth between the client and the server that is not simply visible.

An example of possible fields can be found here or here.

New in IIS 10 there is an addtional attribute called removeServerHeader which can now remove this value, read about that here.

It is a relatively easy activity to add or modify custom headers and/or to add or modify ASP.Net or ASP.Net version numbers.  Therefore, the way to add or modify them is not discussed here.  The specific response header I want to discuss here is the Server field name.

The Server field name is special because IIS adds this value to the response of each request, by default.  Using other means for its removal such as adding: <remove name=”Server” /> to the <customHeaders> section, does not result in its removal.

So how do you remove it?

There is a nice article here that shows how to change the value using a custom .Net module.  That is a valid approach.

Another approach is to use an Outbound URL Rewrite rule.

By default, when I access the Default Web Site on a IIS 8 web server I see the following Request Headers as shown in Figure 1.  Notice the Server: Microsoft-IIS/8.0 field and value.

Figure 1, default IIS Response Headers

The question is, how can you change that using URL Rewrite?

Solution

The first step is to confirm you have the URL Rewrite module installed.  I recommend using the Web Platform Installer to install it as shown in Figure 2.

Figure 2, install URL Rewrite using the Web Platform Installer

Once installed, click on the level (server, website, etc..) where you want to rule to be executed on and you will see the URL Rewrite icon as shown in Figure 3.

Figure 3, the URL Rewrite module

Double-click it to open the feature.  Then, in the Actions pane, select the Add Rule(s)… link as shown in Figure 4 and create a ‘Blank rule’ of type ‘Outbound rules’.

Figure 4, Add Rule(s)… link

Create the following outbound rule as shown in Figure 5.

Figure 5, how to change the Server HTTP Response Header value

Apply your changes and re-access the website.  Notice that the value for the Server field name has been changed, as shown in Figure 6.

Figure 6, Modified Server response header value using an outbound URL Rewrite rule

Note that the above rule is a plain vanilla rule.  Meaning it is a catch all and is meant for an example only.  I do suggest you shrink it by adding some Conditions and/or Patterns so that it better matches you needs.

 

 

 

 

 

 

 

Comments (5)

  1. SWORT says:

    Many thanks, this really helped me.

    Even microsoft doesn't give this answer…

  2. Some Guy says:

    THANK-YOU! I had no idea I could set response headers by using  "RESPONSE_headername" as the name of the server variable. This accomplishes exactly what I want, but the MS documentation is severely lacking anything information this feature.

  3. Thanks, yes, when I work on a case, I too search the internet for examples, when I don't find the solution I try to write an article about it.  I am in a special position as I can contact the people who wrote the code and get the solution from them.  Glad this helped.

  4. byron says:

    Thank you, great article. Perfectly explained. This helped me get past a security scan's red flag for software disclosure.

  5. Tonny says:

    What does the xml for this look like?

Skip to main content