Hiding -or- Removing IIS Server Details from its HTTP Headers using URL Rewrite feature in IIS 8

Hiding -or- Removing IIS Server Details from its HTTP Headers using URL Rewrite feature in IIS 8

As we always prefer avoiding information disclosure unless it’s needed, following the same keeps your web resources as well secure.  Here is to prevent disclosure of your IIS web server details in the form of web request/http headers.

Environment:

You have built a website (www.hideheaders.com ) that is hosted on IIS8 running on Windows Server 2012. When you inspect the web page requests you notice that your web server details are being presented to the end users on web  page in their header values.

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.4.24
X-Pingback: http://www.httpheaders.com/xmlrpc.php
Link: http://wp.me/7oDFde; rel=shortlink
Date: Tue, 13 May 2014 06:53:30 GMT
Content-Length: 82893

The HTTP header variables “Server” and “X-Powered-By” are sensitive information w.r.t a website and web server security.  You can restrict/avoid this sensitive information disclosure in couple of options.  However, I am detailing below a very simple and built-in option “URL Re-write” of IIS 8 to handle this.

Using “URL Re-write” of IIS 8, you can define rules for all the outgoing traffic of selected website to overwrite the values of “Server” and “X-Powered-By” HTTP variables to void.

Launch IIS 8 Manager > Select the WebSite > in “Features View” click on “URL Rewrite” as shown below

image

Create a HTTP Header Variable:  In actions pane, Click on “View Server Variables” > Add > enter RESPONSE_SERVER in the text box (as shown below).

image

Create an Outbound URL Rewrite Rule: In actions pane, click Add Rule(s)… > Select Outbound Rules > Blank Rule

image

Key in  the appropriate values as shown below and then click on Apply.

image

Do the above two steps for another variable as well “RESPONSE_X-POWERED-BY” then launch your website and inspect the headers, you notice that there variables have not data exposed now.  Yay!!!

 

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Server:
X-Powered-By:

X-Pingback: http://www.httpheaders.com/xmlrpc.php
Link: <http://wp.me/7oDFde>; rel=shortlink
Date: Tue, 13 May 2014 07:18:32 GMT
Content-Length: 97131

 

Alternatively, you can setup the rules by directly updating the web.config file as shown below:

    <rewrite>
            <outboundRules>
                <rule name="Remove Server Header">
                    <match serverVariable="RESPONSE_SERVER" pattern=".+" />
                    <action type="Rewrite" />
                </rule>
                <rule name="Remove X-PoweredBy Header">
                    <match serverVariable="RESPONSE_X-POWERED-BY" pattern=".+" />
                    <action type="Rewrite" />
                </rule>
            </outboundRules>
    </rewrite>

 

 

<

p>References: Remove Unwanted HTTP Response Headers

Leave a Reply

Your email address will not be published. Required fields are marked *