i am getting an issue, Disclosing IIS version at the Server Response Header and Status Code is displaying "302". Can anyone please give me the solution, how to remove Server Header. I have created a IIS rewrite rule for removing the server header.
Asked
Active
Viewed 5,982 times
2 Answers
1
Unfortunately you can't easily remove the Server header. The best way that I'm aware of is to utilize rewrite rules.
The following outbound rewrite rule (outboundRule) that will remove the Server header:
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
Jesse Johnson
- 1,638
- 15
- 25
-
Thanks for your suggestion, but this outbound rule is already created in the IIS. I have done VAPT testing for my application. In testing, for one specific URL, IIS version is disclosing and Status code is showing "302". I am trying from couple of days but the issue is not resolved. – Srinivas May 06 '20 at 04:44
0
As the Blog mentioned, URL rewrite rules are feasible for Http.Sys error. I advise you to remove the server header by using Request filtering. In IIS10.0(Windows2016 above), we can simply remove the Server header by configuring requrestFiltering in System.webServer section.
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<directoryBrowse enabled="true"/>
<security>
<requestFiltering removeServerHeader ="true" />
</security>
</system.webServer>
By this way, we don’t have to apply the complex outbound rewrite rules, and it still works when the server comes by HTTP error.
Feel free to let me know if the problem still exists.
Abraham Qian
- 7,117
- 1
- 8
- 22
-
Thanks for your suggestion, i have done as you said. while doing VAPT testing for my application, for one specific URL, IIS version is disclosing. – Srinivas May 06 '20 at 12:44