WS/WCF: Remove Server Header

Need to suppress all instances of the HTTP ‘Server’ header from all HTTP responses including invalid requests that never even reach the application process.

Why we need this:
Exposing Server headers as part of response payload is security vulnerability documented under section 14.38.

Workaround for Self Host WCF Services:
Set below registry flag to: 2

Setting this to 2 will ensure that self host WCF services no longer sends the SERVER header and thus ensure we are security compliant.
Please note that this disables ALL server headers.

The default value of 0 enables the header, and the value of 1 disables server header from DRIVER (http.sys), but app can still have headers.

Workaround for IIS hosted applications
1. Stop the World Wide Web Publishing Service (if IIS services are not required on the server).
2. If they are required, then we would need to use the IIS URL Rewrite module and delete the server header itself.

I hope this helps!

Saurabh Somani

Comments (0)

Skip to main content