How to remove all information about IIS Server from Response Header?

It is amazing technique to remove any information from response header about IIS server is very scarce online. So I decide to blog this.

The reason why you would want this is because you would not want to readily disclose what version of server or what server you are running. For example see blow response header I gathered from  one of the site running IIS:

 

Notice that you have information about Server, X-AspNet-Version, X-Powered-By. There are enough information to know it is running on IIS. Why hide these info? Because why if certain version of IIS server had security hole that the hacker can expose? Sometimes, in Enterprise environment there will be external third party security firms like WhiteHat tagging such exploits so you have to fix.

To get rid of X-AspNet-Version set enableVersionHeader false in web.config:

<httpRuntime targetFramework="4.5" enableVersionHeader="false" maxRequestLength="20480" />

To get rid of X-Powered-By in customHeaders section remove the header shown below:

      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>

To get rid of Server that is bit tricky and there are two techniques that you can use.

First technique is to using programmatic way using global.asax.cs in Application_PreSendRequestHeaders method:

public static string HttpHeadersToRemove
{
    get
    {
        return ConfigurationManager.AppSettings["HTTPHeadersToRemove"] ?? string.Empty;
    }
}
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
    if (HttpContext.Current == null) return;
    if (HttpHeadersToRemove == null) return;

    foreach (var headerKey in HttpHeadersToRemove.Split(';'))
    {
        HttpContext.Current.Response.Headers.Remove(headerKey);
    }

    //You can also add you own custom header
    //HttpContext.Current.Response.Headers.Add("my_custom_header", "some value");
}

Because I do not want the code changes every time the headers to be removed are identified. I put this in web.config appSettings called HTTPHeadersToRemove as semi-colon delimited and I simply loop through and remove those headers. Also, here something interesting to point out is that you can also add your own custom header.

Second technique is NO CODE involved but simple IIS setup using URLReWrite. URLRewrite is powerful module that allows you to manipulate not only the URL but also the behavior of HTTP Response served to the client. You can download and install URLReWrite at http://www.iis.net/downloads/microsoft/url-rewrite

1. Once installed open URLRewrite.

2. Click View Server Variable

3. Add RESPONSE_SERVER. This variable will allows URLRewrite to access to Response headers.

4. Add following rules to your web.config. You can also add web.config to the root level of your IIS so that ALL web sites are affected if you like.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <remove name="X-Powered-By" />
            </customHeaders>
        </httpProtocol>
        <rewrite>
            <outboundRules>
                <rule name="Strip Headers">
                    <match serverVariable="RESPONSE_SERVER" pattern=".*" />
                    <action type="Rewrite" value="MyServer" replace="true" />
                    <conditions>
                    </conditions>
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

屏蔽IIS版本信息

1、服务器端要安装URLReWrite (http://www.iis.net/downloads/microsoft/url-rewrite),下载之后根据提示安装即可(如果网站功能视图中不存在URL重写,则可能是没有安装);

2、定位到站点,选择功能视图,选择“URL重写”;

3、点击“查看服务器变量”

4、添加“RESPONSE_SERVER”变量,这个变量允许URLRewrite访问响应头信息;

5、向web.config中添加规则(如果不存在web.config,创建它)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <remove name="X-Powered-By" />
            </customHeaders>
        </httpProtocol>
        <rewrite>
            <outboundRules>
                <rule name="Strip Headers">
                    <match serverVariable="RESPONSE_SERVER" pattern=".*" />
                    <action type="Rewrite" value="MyServer" replace="true" />
                    <conditions>
                    </conditions>
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

6、测试头信息:

发表评论