We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

http.sys response header [Answered]RSS

5 replies

Last post Jan 26, 2021 06:49 PM by maxmayer

  • http.sys response header

    Jan 24, 2021 09:28 PM|maxmayer|LINK

    The IIS http.sys kernel driver intervenes to block possible malicious URLs, for example this URL https://domain.ext/%2E%2E%2fconsole.portal is blocked with issuing a 403 error (Forbidden URL).

    Is it possible to somehow control the HTTP response headers issued by http.sys? At the moment the http.sys documentation states that you can only check the Server header https://docs.microsoft.com/en-us/troubleshoot/iis/httpsys-registry-windows

    I'm currently using IIS10 on Windows Server 2019.

  • Re: http.sys response header

    Jan 26, 2021 02:19 AM|samwu|LINK

    Hi maxmayer,

    maxmayer

    The IIS http.sys kernel driver intervenes to block possible malicious URLs, for example this URL https://domain.ext/%2E%2E%2fconsole.portal is blocked with issuing a 403 error (Forbidden URL).

    Is it possible to somehow control the HTTP response headers issued by http.sys?

    Do  you want to block the url by http response headers? if so, you can use the url rewrite rule.

    1. Install the IIS URL Rewrite.

    2. Open the site on which you would like to remove the X-Powered-By header and Click on the URLRewrite section.

    3. Click on the “View Server Variables” in the Actions pane in the right hand side.

    4. Click on the Add button and then enter “RESPONSE_X-POWERED-BY” in the textbox provided.

    6. Now we need to create an outbound rule. To know how to create an outbound rule, look at the following link: Creating Outbound Rules for URL Rewrite Module

    7. Create an Outbound rule as the following: 

    Please note that this is a website-specific rule. If you want to create the rule for all of your applications, create the rule at the server level. 

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: http.sys response header

    Jan 26, 2021 02:33 AM|maxmayer|LINK

    Thanks for the reply. 

    I actually want to control the HTTP response headers set by http.sys.

    Furthermore, the URL rewrite engine has no control on the http.sys response. 

  • Re: http.sys response header

    Jan 26, 2021 02:50 AM|samwu|LINK

    Hi maxmayer,

    maxmayer

    I actually want to control the HTTP response headers set by http.sys.

    Furthermore, the URL rewrite engine has no control on the http.sys response. 

    Otherwise, it seems impossible to do it.

    Best regards,

    Sam

    IIS.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
  • Re: http.sys response header

    Jan 26, 2021 05:30 AM|lextm|LINK

    maxmayer

    Is it possible to somehow control the HTTP response headers issued by http.sys? At the moment the http.sys documentation states that you can only check the Server header https://docs.microsoft.com/en-us/troubleshoot/iis/httpsys-registry-windows

    To make a reliable driver like http.sys, it has to be kept simple and without many settings. So what you observed is what you can use, and that does not meet your needs.

    People usually set up a reverse proxy in front, such as NGINX Plus, where headers can be modified as you wished, https://www.nginx.com/blog/reverse-proxy-using-nginx-plus/#passing-request-headers 

    Lex Li
    Want to have a chat on the issues you meet? Book an appointment at https://buy.stripe.com/cN24ia0yi7sAdIA7sv
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: http.sys response header

    Jan 26, 2021 06:49 PM|maxmayer|LINK

    in essence you are confirming what I already suspected, it cannot be done with IIS and this is such a limitation that one of the suggestions is to use another type of server (it is actually the only viable suggestion)