2

In the past you could use UrlScan by Microsoft to modify the headers and remove the one's displaying IIS version for example.

This does not work for IIS 7.5 and IIS 7.0 is the latest version supported. Is there any way I can still remove some response headers?

Running Windows Server 2008 with IIS7.5 installed.

Rob
  • 145
  • 1
  • 5
  • 17

2 Answers2

6

You can use an IIS Native-Code module to remove any headers in IIS 7.5 (in fact, the same module should work for IIS 7.0 - 8.5).

Native-Code modules differ from the more common Managed modules, as they are written using the win32 APIs rather than ASP.NET. They work for all requests, including static pages and images.

Binaries and source code of an example Native-Code module for removing headers in IIS 7.0 to 8.5 are available in the following article. This module is a simple MSI install and will remove the "Server" "X-Powered-By" and "AspNet Version" headers by default. Other headers can be removed using the IIS configuration.

http://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85

ph1ll
  • 161
  • 3
  • 1
    The headers were indeed gone after installation and iisreset. However we had application pools (in 32-bit mode) that were stopped after the installation and iisreset. Later we had other problem with some applications. No time to go into the details. Other sites worked fine. We uninstalled the msi and the few problems were gone. This is actually a good thing, because it tells me that you can safely try this module. – Chris Aug 25 '14 at 13:20
  • Have you tried the latest version (1.0.2)? It was updated to specifically support 32 bit app pools. – ph1ll Aug 27 '14 at 11:07
2

There are lots of resources over the Web that explain how to do it. Just a sample:

However I admit that most of them will not work in every context:

  • it will depend on access you have, or not, to the Global.asax.cs file source code.
  • the Global.asax approach is only valid for a website developed with ASP.NET. So what if your website is only static html pages, and css or js?
  • the web.config approach will not be able to remove the Server Version header.

For my part, I have decided to get rid of all development related workarounds.

I've chosen the URL Rewrite approach so I am totally independent of web developers (if any) and of ASP.NET or HTML development.


To remove the header X-Powered-By:

  1. In IIS Manager, navigate to your Web site
  2. Select HTTP Response Header
  3. Select X-Powered-By and click Remove

To remove the Server Version header I use the URL Rewrite extension from Microsoft:

Then I've defined an outbound rule to rewrite the Server Version with an empty value. But I could also write a wrong value like Apache or unknown ;)

I hope that, like me, you will find these links very useful to implement what I am talking about:


Finally, I have not tested it myself, but it seems that you still can use UrlScan with IIS7.5/8:

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
krisFR
  • 12,830
  • 3
  • 31
  • 40