Why does removeServerHeader work in an Azure Web App?

Question

As mentioned in other SO questions Windows Azure Web Apps are running on IIS/8.0, but I have some doubt if that is actually true.

First of all, when I check the HTTP response from a web app running on the Azure Web Apps free tier I can see the following HTTP header:

Server:Microsoft-IIS/8.0

However, according to this documentation and to some local testing on my machine I know that requestFiltering removeServerHeader is not supported in IIS 8.0.

e.g.:

<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

It is a feature which has been added with IIS 10.0 and I can confirm this by running some more tests on a Windows 10 VM with IIS 10.0.

Interestingly this setting also works on my Azure Web App, which supposedly runs on IIS 8.0, so my question is what version of IIS is Azure Web Apps actually running on?

EDIT: From all the comments below it seems that Azure Web Apps run on IIS 8.0, so I re-phrase my question to: How come the removeServerHeader works in an Azure Web App when they run on IIS 8.0?

score 6 · Answer 1 · edited Jun 20 '20 at 09:12

A blog post from Microsoft in 2013 states:

Our customers asked us to allow these headers to be disabled on Azure Web Sites, and so with the recent release of Windows Azure Web Sites, we have enabled this to be done.

It then goes on to give an example of using removeServerHeader and says it's part of the Request Filtering module:

The removal of these headers is facilitated with the Request Filtering module...

Interestingly their documentation for IIS 10 Request Filtering confirms that the removeServerHeader attribute was added to IIS 10 as you have found out.

New in IIS 10.0

IIS 10.0 added the removeServerHeader attribute to suppress sending the HTTP server header to remote clients.

So I would say that the reason it works on Azure Web Sites is because Microsoft pushed this feature out to Azure Web Sites at the request of customers in 2013 - presumably as part of an Azure-specific version of the Request Filtering module. They have since integrated it as standard into the IIS 10 Request Filtering module.

score 2 · Answer 2 · answered Oct 09 '15 at 14:47

2

Various sources show that Azure websites run a customized build of IIS that is not available on any Windows release.

answered Oct 09 '15 at 14:47

Lex Li

60,503
9
116
147

Okay, that was my suspicion, but I didn't find anything on the net to confirm this. Have you got any links to such sources? – dustinmoris Oct 09 '15 at 14:48
@dustinmoris there were discussion on IIS forum about the custom ARR module used, while Nano Server was pilot first in Azure and many others. Hard to put a list though. – Lex Li Oct 09 '15 at 14:52

score 1 · Answer 3 · answered Oct 09 '15 at 14:39

1

Your web job runs in the same environment as the associated website. To get detailed information about the site and it's environment use Kudu. You can access it by browsing to the URL:

{yoursite}.scm.azurewebsites.net

Then select the environment tab at the top.

answered Oct 09 '15 at 14:39

tripdubroot

1,143
5
13

Okay, so this is what I get: SERVER_SOFTWARE=Microsoft-IIS/8.0 How is it possible that the removeServerHeader attribute works on it? – dustinmoris Oct 09 '15 at 14:44

ProVega · Answer 4 · 2015-10-09T14:48:24.793

0

To the best of my knowledge, since Windows 2016 Technical Beta's aren't yet supported and I don't know why they would run on old OS's... they run on top of Windows Server 2012 R2 and so that means IIS 8.5.

Here are the details of the latest Guest OS's: https://azure.microsoft.com/en-us/documentation/articles/cloud-services-guestos-update-matrix/#family-4-releases

edited Oct 09 '15 at 14:48

answered Oct 09 '15 at 14:28

ProVega

5,864
2
36
34

Are you sure, because from my internet research the removeServerHeader attribute does not work in IIS 8.5 either? – dustinmoris Oct 09 '15 at 14:29
Well I know they don't run on Windows 10 (Not a server tech, limited # of connections) or Windows Server 2016 Technical Beta's - So the only choice seems to be Windows Server 2012 R2. We run a bunch of Azure services across Paas and IaaS and everything runs on Windows Server 2012 R2. – ProVega Oct 09 '15 at 14:31
Okay fair enough. And what is in your response header then? Wouldn't IIS 8.5 return Server: Microsoft-IIS/8.5 ? – dustinmoris Oct 09 '15 at 14:33
LOL - Its hard for me to tell you at the moment, because we remove them :) Let me look. I believe it says "IIS 8.5". Here is how we remove them - have you tried this – ProVega Oct 09 '15 at 14:35
yes I just ask because I am pretty sure that it will return 8.5 in the header and my Web App returns 8.0 but clearly is also capable of some features which are not present in IIS 8.0. So my suspicion is that it might run either IIS 8.0 with additional features installed on top of it or it runs some unofficial version? – dustinmoris Oct 09 '15 at 14:36
1

Offtopic: enableVersionHeader="false" doesn't remove the Server http hearder, it removes the aspnet version header, but that is not my question anyway. I know how to remove all the headers. – dustinmoris Oct 09 '15 at 14:39

Why does removeServerHeader work in an Azure Web App?

4 Answers4