server name disclosed even after applying outbound rules [Answered]RSS

2 replies

Last post Oct 18, 2019 03:01 AM by Yuk Ding

  • server name disclosed even after applying outbound rules

    Oct 17, 2019 10:52 AM|chanchalkhadse|LINK

    I have applied outbound rules for RESPONSE_SERVER and RESPONSE_X-POWERED-BY in my IIS server as mentioned in https://www.saotn.org/remove-iis-server-version-http-response-header/  to hide the server name in the http response headers. Working perfectly fine with 404 response code but not with 411. Please let me know how to fix this.

    Thanks in advance.

  • Re: server name disclosed even after applying outbound rules

    Oct 18, 2019 01:32 AM|lextm|LINK

    It is recommended that you set up a reverse proxy in front (like nginx) if you do want to manipulate certain headers. IIS URL Rewrite rules come too late in the processing pipeline, so they cannot modify the headers if the responses already are generated and returned by HTTP.sys.

    Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: server name disclosed even after applying outbound rules

    Oct 18, 2019 03:01 AM|Yuk Ding|LINK

    Hi chanchlkhadse,

    If you monitor the request with 411 response, you will see the server is Microsoft- HTTPAPI instead o IIS. The request will never reach IIS. So the Server is blocked and returned from http.sys http api level.

    To disable, please go to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters and create a DWORD named DisableServerHeader.  Then set the value to 1.

    Please remember to reboot the server, then you will no longer see this header.

    If the reply is helpful, it is appreciated if you could mark it as answer.

    Best Regards,

    Jokies Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.