Cannot remove 'Server' header with request filtering

Question

I need to remove the 'Server' header from all http requests coming to my IIS site due to PCI DSS scanning restrictions. I am running the latest version of Windows Server 2016 using the latest version of IIS 10. The IIS Request Filtering role is installed in Roles and Features.

My configuration file looks like this:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

I am serving a static file, for the purposes of this test, it is called index.html and contains <html></html>.

After creating the config file, restarting IIS, and requesting the file, IIS is still sending the Server header:

The only other way I know of is to install the IIS-rewrite module, however this is extremely undesirable as we are running a server farm and this would need to be done to multiple servers and server images.

Are there any other things I can try to get request filtering working?

Is there any other way to remove the Server header which doesn't require IIS-rewrite?

P.S. I can reproduce this on multiple servers by creating a new site in IIS, and creating an index file and a web config as above - it feels like i'm missing something obvious.

score 1 · Answer 1 · answered Dec 08 '22 at 08:54

1

IIS 10.0 added the removeServerHeader attribute to suppress sending the HTTP server header to remote clients.

Previous IIS versions do not support.

answered Dec 08 '22 at 08:54

ishakkulekci

111

score 0 · Answer 2 · answered Mar 21 '24 at 19:49

I had the same issue removing the server response header in IIS 10 because I was using a URL rewrite rule to issue a 302 redirect for http traffic. All of the other methods work for the specific site, but not for the redirect response.

To get this to work you need to set the variable at the server level. To do this: