CODE REMOVING CHATTY IIS HEADERS

  • By Andy Burns
Andy Burns
IIS is, by default, a bit too damn chatty, which isn't what you want if you're trying to harden your server. 

Capture
You can check this with a site like SecurityHeaders.io [https://securityheaders.io/], which will review all your HTTP Headers for you.

Why would I need to tell the world what ASP version, webserver, etc. that I'm using? Isn't this just helping potential attackers? Well, yes. How do you remove these headers, though?

Server: Microsoft-IIS...
------------------------

To remove the server tag is actually the fiddliest of these tags. The best way is using the IIS Rewrite module. This isn't a standard install - but it is very commonly used, and it's reliable. Most of our customers use it.

Essentially, what you do is configure an outbound rule that matches the Server HTTP Header, and replaces it with empty text. Full description by Scott Helme here  [https://scotthelme.co.uk/hardening-your-http-response-headers/#server]. He does it manually through IIS, or you can do this with a web.config modification:

<system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove Server Response Header">
<match serverVariable="RESPONSE_SERVER" pattern=".*" />
<action type="Rewrite" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>

X-Powered-By: ...
------------------

This is configured as a header for the entire of IIS, and I can't see a good reason to leak this information (other than bragging). Go to your IIS instance, HTTP Response Headers and remove it:

Capture2
That should zap it for the whole webserver. You can do this on a per-site basis, but that's not as fun.

It can also be done in your Web.config:

<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>

X-AspNet-Version:...
-------------------

Another Change to web.config:

<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>

X-AspNetMvc-Version:...
------------------------

In Global.asax.cs add:

protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}

That apparently does it. And I love that it's inconsistent with all the others.
scroll back to the top of the current web page