How to Remove Microsoft-HTTPAPI/2.0 Header on IIS 8 and 10
Solution 1:
If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).
You can test this by throwing an error using CURL:
curl -v http://www.yourdomain.com/ -H "Range: bytes=00-18446744073709551615"
You will see something like this if your server is sending the header:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
You can add a registry value so HTTP.sys doesn't include the header.
- Open Regedit
- Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
- If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
- Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"
Reference: WS/WCF: Remove Server Header
After you add the registry key, the response looks like this:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
Posting here so people who need this can find it. (Thanks, Oram!)