How To Remove Response Headers In IIS
What is an HTTP Response Header?
As defined in MDN:
A response header is an HTTP header that can be used in an HTTP response and that doesn’t relate to the content of the message […] (MDN Web Doc)
In this scenario, I am using IIS version 10.0 and we are going to be requesting the default website that comes with IIS.
A typical request to “localhost” returns the following Response HTTP Headers:
Our first task is to remove the “Server” variable. This variable describes the software used by the origin server that handled the request.
Method #1
If you have IIS version 10.0 this is really simple.
- Go at Site level and click “Configuration Editor”
2. Navigate to “system.webServer/security/requestFiltering” and set the value of the following key to:
- removeServerVariable: True
3. Test!
Method #2
We can use URL Rewrite Module to set the value of the “Server” variable to an empty string.
You can install this module through the Web Platform Installer.
- Go to site level and click the “URL Rewrite” module
2. On the “Actions” pane on the right, select “View Server Variables…”
3. On the “Actions” pane on the right, select “Add…”
4. Add a server variable called: “RESPONSE_SERVER”
5. Let's go back to the Rules and click “Add Rule(s)…”
6. Select “Outbound rules > Blank rule” and “OK”
7. Set the following values and click “Apply”
Match Section
• Name: Remove Server Variable (or whatever you would like)
• Matching scope: Server Variable
• Variable name: RESPONSE_HEADER
• Variable value: Matches the Pattern
• Using: Regular Expressions
- Pattern: .*
Action Section
• Action type: Rewrite
• Value: (empty string)
- Make sure “Replace existing server variable value” is checked.
8. Test!
Bonus
Using method #2 we are going to modify “X-Powered-By” variable.
- Add variable to the list
2. Create an outbound rule
3. Test!
Now it is your turn, try removing or changing other Response Headers variables!