IIS 7 and Above
Configuration & Scripting
server name disclosed even after applying outbound rules
Last post Oct 18, 2019 03:01 AM by Yuk Ding
Oct 17, 2019 10:52 AM|chanchalkhadse|LINK
I have applied outbound rules for RESPONSE_SERVER and RESPONSE_X-POWERED-BY in my IIS server as mentioned in
https://www.saotn.org/remove-iis-server-version-http-response-header/ to hide the server name in the http response headers. Working perfectly fine with 404 response code but
not with 411. Please let me know how to fix this.
Thanks in advance.
Oct 18, 2019 01:32 AM|lextm|LINK
It is recommended that you set up a reverse proxy in front (like nginx) if you do want to manipulate certain headers. IIS URL Rewrite rules come too late in the processing pipeline, so they cannot modify the headers if the responses already are generated
and returned by HTTP.sys.
Oct 18, 2019 03:01 AM|Yuk Ding|LINK
If you monitor the request with 411 response, you will see the server is Microsoft- HTTPAPI instead o IIS. The request will never reach IIS. So the Server is blocked and returned from http.sys http api level.
To disable, please go to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters and create a DWORD named DisableServerHeader. Then set the value to 1.
Please remember to reboot the server, then you will no longer see this header.
If the reply is helpful, it is appreciated if you could mark it as answer.