IIS7 Response header exposes server information when post request is incomplete

IIS reveals "Server: Microsoft-HTTPAPI/2.0" in the response header when a invalid Post request is made. e.g. content-length is not included in the header. The Response returned also says HTTP/1.1 411 Length Required.

the closest case i have found was this forum post at iis.net: http://forums.iis.net/t/1178183.aspx/1 but still not having any luck.

i have also attempted to implement this: http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx and it doesnt stop the server header from being added / renamed

My client is asking for all "Server" headers to be removed as part of their security requirements. (don't ask me why, i'm just the schmuck who just has to get it done)

anyone encounter this before?


Stumbled on Paul Bouwer's blog.

Turns out that when the "Microsoft-HTTPAPI/2.0" server header appears, it means that the HTTP.SYS driver has handled the request and it never gets to IIS for processing. makes sense, why waste time sending to IIS when you can tackle an invalid request as early as possible.

in order to stop HTTP.SYS from adding the server header a REG_DWORD needs to be added to the registry: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

add a REG_DWORD called "DisableServerHeader" with a value of 1.

I wasnt keen on trying to find a way to restart the driver and deal with the dependencies so i rebooted the machine.

after reboot, tested with Fiddler and everything worked fine.