Remove/Modify IIS 10 Server Header which discloses IIS version

asp.net iis-10

I tested the trick on this site and it works well on IIS 10.

https://www.saotn.org/remove-iis-server-version-http-response-header/#removeserverheader-requestfiltering-in-iis-10-0

Simple web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering removeServerHeader="true" />
        </security>
    </system.webServer>
</configuration>

I remembered I've seen this is possible in IIS10, and indeed I blogged about this in New features in IIS 10.

There is a new removeServerHeader setting, but it is not available in the GUI, you have to use the Configuration Editor or use PowerShell:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"

for the whole server, if you just need it for a site, use:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site'  -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"

This seems to work fine for me, no reboot or restart of IIS is required.

It doesn't affect the http.sys server header in the rare case that it responses to a request.

Related

What's the name of this windows feature?
How do you resolve a "The parameters (number[]) don't match the method signature for SpreadsheetApp.Range.setValues" error
Cause of Warning: PowerShell detected that you might be using a screen reader and has disabled PSReadLine for compatibility purposes
ping alternative for tcp?
Custom JSON deserializer using Gson
Should I use /etc/bind/zones/ or /var/cache/bind/?
WPF Trigger won't set property if set in Element
How to prepare (or not) small company to IPv6
Can a shell script wait for a file to change and take action?
Spring Boot 2.0.x disable security for certain profile
Access Network Folder using Different User Credential
can localhost be spoofed?