Remove Unwanted HTTP Response Headers


The purpose of this blog post is to discuss how to remove unwanted HTTP response headers from the response. Typically we have 3 response headers which many people want to remove for security reason.

  • Server – Specifies web server version.
  • X-Powered-By – Indicates that the website is "powered by ASP.NET."
  • X-AspNet-Version – Specifies the version of ASP.NET used.

Before you go any further, you should evaluate whether or not you need to remove these headers. If you have decided to remove these headers because of a security scan on your site, you may want to read the following blog post by David Wang.

http://blogs.msdn.com/b/david.wang/archive/2006/03/29/silly-security-scans.aspx

If you would like to go ahead and remove the headers then follow the following options.

Server Header

There are three ways to remove the Server header from the response. The best one is to use the third option.

1. Using the Registry key.

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

image

After adding the Registry key, restart the HTTP service using the net stop http command and the net start http command. If the HTTP service doesn’t start up then use the iisreset command. If that also doesn’t work then you can restart the server.

Please note that this method is used only when the Server header comes as “Microsoft-HTTPAPI/2.0”.

When the request comes to IIS, it is first goes to http.sys driver. HTTP.SYS driver either handle the request on its own or send it to User mode for further processing. When the request goes to User mode that’s the time it returns the server header as “Microsoft-IIS/7.5.”.

However when the request returns from the HTTP.SYS driver then the server header comes as “Microsoft-HTTPAPI/2.0”. By placing the above registry key it will remove this specific header

If you would like to remove the Server header as “Microsoft-IIS/7.5.”, then follow the following methods.

2. Using the URLScan tool.

Install the URLScan in your machine. Please follow the following link for that

http://www.iis.net/downloads/microsoft/urlscan

After installing URLScan, open the URLScan.ini file typically located in the %WINDIR%\System32\Inetsrv\URLscan folder. After opening it, search for the key RemoveServerHeader . By default it is set to 0, but to remove the Server header, change the value to 1.Doing so will remove the Server header Server: Microsoft-IIS/7.5 from the User mode response.

 

image

Please note that changes made by URLScan at global level apply to all of your sites. If you would like to setup this for particular site then look at the following article (site filter section)

http://www.iis.net/learn/extensions/working-with-urlscan/urlscan-setup

There are also some pitfalls to using URLScan. You can learn about those pitfalls at the following URL:

http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_008

3. Using URLRewrite

If you don’t want to go with URLScan, you can use the URLRewrite module to remove the value of the Server header. Please note that it will not remove the header all together but it will remove the value of it.

Step 1. Install URLRewrite. To install the URLRewrite please go to the following link

http://www.iis.net/downloads/microsoft/url-rewrite

Step 2. Open the site on which you would like to remove the Server header and click on the URLRewrite section.

image

Step 4. Click on the “View Server Variables” in the Actions pane in the right hand side.

image

Step 5. Click on the Add button and then enter “RESPONSE_SERVER” in the textbox provided.

image

Step 6. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link

http://www.iis.net/learn/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-module

Step 7. Create an Outbound rule as the following.

image

Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third party applications, may require the Server header, so you may need to remove this rule for those applications.

X-Powered-By

There are two ways to do remove this header as well. Second method would be the preferred one.

1. Using IIS HTTP Response headers.

Open the site which you would like to open and then click on the HTTP Response Headers option.

image 

Click on the X-Powered-By header and then click Remove on the Actions Pane to remove it from the response.

image

2. Using URLRewite Rule.

Please note that it will not remove the header all together but it will remove the value of it.

Step 1. Install URLRewrite. To install the URLRewrite please go to the following link

http://www.iis.net/downloads/microsoft/url-rewrite

Step 2. Open the site on which you would like to remove the X-Powered-By header and Click on the URLRewrite section.

image

Step 3. Click on the “View Server Variables” in the Actions pane in the right hand side.

image

Step 4. Click on the Add button and then enter “RESPONSE_X-POWERED-BY” in the textbox provided.

image

Step 5. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link

http://www.iis.net/learn/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-module

Step 6. Create an Outbound rule as the following

image

Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third party applications, may require the x-powered-by header, so you may need to remove this rule for those applications.

X-AspNet-Version

There are two ways to do remove this header as well. Preferred one is the first one.

1. Using the httpRuntime element.

Add the following line in your web.config in the <system. Web> section

<httpRuntime enableVersionHeader="false" />

2. Using an URLRewite rule.

Please note that it will not remove the header all together but it will remove the value of it.

Step 1. Install URLRewrite. To install the URLRewrite please go to the following link

http://www.iis.net/downloads/microsoft/url-rewrite

Step 2. Open the site on which you would like to remove the Server header and go to the URLRewrite section.

image

Step 3. Click on the “View Server Variables” in the Actions pane in the right hand side.

image

Step 4. Click on the Add button and then enter “RESPONSE_X-ASPNET-VERSION” in the textbox provided.

image

Step 5. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link

http://www.iis.net/learn/extensions/url-rewrite-module/creating-outbound-rules-for-url-rewrite-module

Step 6. Create an Outbound rule as the following.


image

Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. Also, some applications, especially third party applications, may require the x-aspnet-version header, so you may need to remove this rule for those applications.


Comments (34)

  1. This is an extremely helpful post;  I like how you've spelled it all out.  I'm surprised there aren't more responses.

  2. David Duffett says:

    You COULD do all of what you have described, OR, if you are running an ASP.NET MVC website, you could just install this package: nuget.org/…/Dinheiro.RemoveUnnecessaryHeaders

    🙂

  3. crazydotnetlover says:

    thanks for this post budy

    azad chouhan

    crazydotnetlover.blogspot.in

  4. Jatin says:

    Nice Post…quite helpful!!!Thanks!!!

  5. irfan says:

    awesome post Varun   🙂

    Really helpful

  6. Kshitish says:

    Nice article..will it improve the performance of the website too?

    Regards

    Kshitish

    <a href='http://www.studyalways.com'>www.studyalways.com</a&gt;

  7. Hello Kshitish,

    Its just for the security purpose. I don't think so it will make any significant improvement in performance.

  8. Orac says:

    Options 1 & 2 simple do not work for our Win2k8R2 IIS 7.5 server and I am loathe to install third party plugins.

  9. ple says:

    Finally, RESPONSE_X-ASPNET-VERSION is live

    <a href="taikhoanforex.weebly.com/…/a>

  10. amguy says:

    @Orac – the 'third party plugins' you refer to are actually Microsoft addons for IIS.

  11. Pawel says:

    Best post I found, tells the whole story and explains what and why needs to be done. Other posts I found suggested solutions but didn't explain what does what. Both steps 1 and 2 (for Server header) work fine on Windows Server 2008 R2 II 7.5.

  12. Guest says:

    Hello,

    are the solutions also for IIS 7.5 ?

  13. Jon says:

    Just applied to IIS 7.5 on the back of a security scan. I read the article by David Wang and agree that it is rather a pointless exercise, but seeing as your article provided such comprehensive information on the fix, I thought I'd just go ahead – only took a couple of minutes! So thanks for the info, much appreciated!

    Cheers,

    Jon.

  14. Chris Hunt says:

    I used the IIS re-write method for remove the server but I found that doing this caused problems with tile download when doing something like this in classic ASP

    Response.ContentType = "application/vnd.ms-excel"

    Response.AddHeader "Content-Disposition", "attachment; filename=data.xls"

    I found that each line would be prefixed by a number which I think was the length of the line

    I've no idea why it would do this so I had to remove this.

  15. Naveenkumar T says:

    You should get a gold medal for this post Man..!!

  16. sana says:

    my site http://codeplussoft.com is using share hosting any solution for that ?

  17. susan says:

    check this for more info and share

    agen.yoobooy.com/…/rakeback

  18. jamy enzor says:

    Nice Blog Dude. Your Strategy was great that will defiantly help those entrepreneurs who would like to start new business. You follow great idea and Strategy.<a href="nichestartup.blogspot.in/">Startup Accelerator </a>Bring  high speed of your business.

  19. johntech says:

    wow…thank you for this awesome post. It really shows your immense knowledge and research on this topic. Please keep sharing.

  20. jamy enzor says:

    Dear Sir,

    your Blog is superb and it will help me.

    you can also visit My ideas

    startupaccelerator.blogspot.in

  21. Elbar says:

    How about

    Cache-Control

    Pragma

    Expires

    Date

    ?

  22. Anonymous says:

    I don't think the reg key for removing the Server key works in IIS 8 on Server 2012. Doesn't for me, anyway.

  23. Anonymous says:

    Hi There,

    Thank you for this.

    Is there a way to block the Server and X-Powered-By information from the response headers when a file is not found. I was testing and I noticed that I could get the above server details from Fiddler by just using the website url and looking for a file that doesn't exist . E.g. http://www.someUrl.com/fileThatDoesNotExist.

    Thanks

  24. Anonymous says:

    Thanks for this post. really awesome.

  25. SysAdmin-E.com says:

    To disable X-AspNet-Version, I would not recommend to edit Web.config directly. Instead, go into IIS Manager –> on left pane, select the site –> in middle pane double-click on Configuration Editor –> on the Section dropdown box expand system.web –> click on httpRuntime and change its value to False –> on right pane, click Apply. The change takes effect immediately. From another post elsewhere (stackoverflow.com/…/what-happens-when-i-edit-web-config), it mentions that changes to Web.config restarts the application pool–I have not verified if that is the case.

  26. Me says:

    Why…

    Why MS should make things so difficult.

    Especially the Server variable that requires you to use regedit…

    Shouldn't there be a switch on IIS Manager to disable this thing?

    Not to go on the topic of why these things are included by default in the first place…

    I understand that it's some sort of advertisement, but at least make it easier to rip them off.

    At least, I would expect all ASP.NET related headers to be turned on/off at the same place.

    But, no…. I had to turn off one in web.config and the other one in C# code:

       MvcHandler.DisableMvcResponseHeader = true; // Remove "X-AspNetMvc-Version" header.

    This article misses that last one ^^^.

  27. Darshan S says:

    Thank You Very Much. Its helps me a lot.

  28. Chris says:

    Is there a way to make it appear to be Apache or Nginx?

  29. Robert says:

    Insane that they made this so hard. It's a terrible security threat!

  30. Ben says:

    Awesome post – greatly appreciated.

  31. Tony says:

    Microsoft! Are you listening!!!? In this world of security threats we need better tools! Please will you add a fix to allow all IIS servers to disable this bloody SERVER variable? You really show that you do not have security at heart if you allow such gaping security holes, and even in the latest IIS 10!!