WS/WCF: Remove Server Header


Requirement:
Need to suppress all instances of the HTTP ‘Server’ header from all HTTP responses including invalid requests that never even reach the application process.

Why we need this:
Exposing Server headers as part of response payload is security vulnerability documented under https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html section 14.38.

Workaround for Self Host WCF Services:
Set below registry flag to: 2
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader

Setting this to 2 will ensure that self host WCF services no longer sends the SERVER header and thus ensure we are security compliant.
Please note that this disables ALL server headers.

The default value of 0 enables the header, and the value of 1 disables server header from DRIVER (http.sys), but app can still have headers.

Workaround for IIS hosted applications
1. Stop the World Wide Web Publishing Service (if IIS services are not required on the server).
2. If they are required, then we would need to use the IIS URL Rewrite module and delete the server header itself.
Refer: https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

I hope this helps!

Thanks
Saurabh Somani


Comments (0)

Skip to main content