Stefan Goßner

Senior Escalation Engineer for SharePoint (WSS, SPS, MOSS, SP2010) and MCMS
Options
Search
Recent Posts
Tags
Blog - Link List
Blog Links
Private Links
MCMS Resources
SharePoint Resources
Archive
Archives

IIS 7 - How to send a custom "Server" http header

TechNet Blogs > Stefan Goßner > IIS 7 - How to send a custom "Server" http header

IIS 7 - How to send a custom "Server" http header

12 Mar 2008 12:53 PM
  • Comments 19

A question we have often seen in the past is to have a method to prevent IIS from sending the server identification header to a client which allows a client to identify which type of http server it is talking too. Usually this request comes from security concerns as knowing the server would allow a hacker to more easily be able to break into the system.

Although the above assumption from customers is very doubtable we still need to be able to provide a solution for this.

Out of the box all our IIS servers respond with a server header similar to the following (sample is for IIS 6.0):

Server: Microsoft-IIS/6.0

For IIS 5 and IIS 6 customers often used UrlScan which allows to remove the server header from the response.

On IIS 7 this tool cannot be installed - but due to the very modular structure of IIS 7 it is possible to remove or even replace the Server header in a much more convenient way: using a custom Module which is injected into the IIS 7 Pipeline. Such a module can be developed as well using managed or unmanaged code.

Here is a sample .Net module which replaces the server http header with a custom header:

using System;
using System.Text;
using System.Web;

namespace StefanG.ServerModules
{
    public class CustomServerHeaderModule : IHttpModule
    { 
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += OnPreSendRequestHeaders;
        } 

        public void Dispose()
        { } 

        void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
            // modify the "Server" Http Header
            HttpContext.Current.Response.Headers.Set("Server""Stefan's Webserver");
        }
    }
}

That's it! When generating this module ensure to strong name it as it needs to be placed into the global assembly cache in order to allow IIS 7 to use it. To add the module to IIS 7 use the "Modules" configuration option on the server, choose "Add managed module" and select the module from the list of available modules.

Comments
Comments
  • Mats
    10 Mar 2010 4:38 AM

    I know, but I want to eliminate the cookie from the response altogether as passing it to the client would mean a security issue.

  • 10 Mar 2010 4:44 AM

    Hi Mats,

    I don't know if this is possible.

    Cheers,

    Stefan

  • Ahmet Mithat Bostanci
    25 Apr 2011 9:42 AM

    Thanks for the great post. One thing I noticed is that the latest URLScan (its current version is 3.1) is actually working on both IIS 7.0 and IIS 7.5. So we can simply add RemoveServerHeader=1 in URLScan.ini configuration file, if our goal is just to strip the server information from the header completely.

    Thanks,

    AMB

  • giveme5minutes
    9 Oct 2012 9:15 AM

    If you're using IIS7 / Azure then have a look at this:

    stackoverflow.com/.../removing-hiding-disabling-excessive-http-response-headers-in-azure-iis7-without

    It shows the best way to disable these headers without using HttpModules.

Page 2 of 2 (19 items) 12
Leave a Comment
  • Please add 1 and 2 and type the answer here:
  • Post