Stuck with really weird problem and can't figure out how to handle it. So, I have asp web api application hosted in IIS 10. I use IIS Rewrite module with outbound rule which removes any Server header:
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_SERVER" pattern=".*" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
It works like a charm always, except case when I send request using DEBUG verb. In this case it returns Server header and response body stating that debug is not implemented. I tried to fix that by using the next setting:
<security>
<requestFiltering removeServerHeader="true" >
<verbs allowUnlisted="true">
<clear/>
<add verb="DEBUG" allowed="false"/>
</verbs>
</requestFiltering>
</security>
Btw, requestFiltering removeServerHeader="true" also removes Server header (in case when IIS Rewrite is disabled). Again, in all cases, except DEBUG request. Disallowing DEBUG technically gives me nothing as well, I no longer getting body of request, but still getting Server header with my server info. I also tried custom modules and also with no luck.
What else I can do to hide Server variable for DEBUG requests?
