How to remove IIS/ASP.NET Response Headers

I have a couple IIS/6.0 servers that security is asking me to remove a couple of response headers that are sent to client browsers on requests. They are concerned about divulging platform information through response headers. I have removed all the HTTP-HEADERS out of the IIS configuration for the website (X-Powered-By or some such header).

(I personally do know that this information can be easily found out, even if it is hidden, but it isn't my call.)

Headers I want to remove:

  • Server - Microsoft-IIS/6.0
  • X-AspNet-Version - 2.0.50727

I also know that ASP.NET MVC also emits its own header too, if you know how to remove it also, that would be helpful.

  • X-AspNetMvc-Version - 1.0

Your security department wants you to do this to make the server type harder to identify. This may lessen the barrage of automated hacking tools and make it more difficult for people to break into the server.

Within IIS, open the web site properties, then go to the HTTP Headers tab. Most of the X- headers can be found and removed here. This can be done for individual sites, or for the entire server (modify the properties for the Web Sites object in the tree).

For the Server header, on IIS6 you can use Microsoft's URLScan tool to remote that. Port 80 Software also makes a product called ServerMask that will take care of that, and a lot more, for you.

For IIS7 (and higher), you can use the URL Rewrite Module to rewrite the server header or blank it's value. In web.config (at a site or the server as a whole), add this content after the URL Rewrite Module has been installed:

<rewrite>    
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_Server" pattern=".+" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>

You can put a custom value into the rewrite action if you'd like. This sample sourced from this article which also has other great information.

For the MVC header, in Global.asax:

MvcHandler.DisableMvcResponseHeader = true;

Edited 11-12-2019 to update the IIS7 info since the TechNet blog link was no longer valid.


To remove all custom headers that disclose too much information - the methods are varied (unfortunately) for IIS 7:

Header Name: X-Powered-By

Add:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

in the <system.webServer> section.

Header Name: Server

Implement an httpModule that strips this header out by calling Response.Headers.Remove("Server") from the PreSendRequestHeaders event. Another resource for this: Cloaking your ASP.NET MVC Web Application on IIS 7

Header Name: X-AspNet-Version

In the httpRuntime section of the web.config - set:

<httpRuntime enableVersionHeader="false" />

Header Name: X-AspNetMvc-Version

From the Application_Start event in global.asax - execute the following code (C#):

MvcHandler.DisableMvcResponseHeader = true;