•  

Remove Server from HTTP Response Headers

Thu, Jun 4, 2009

Security, Technology

Today I was asked if it was possible to remove the Server Name that is included in the default IIS HTTP Response Headers.  In case you haven’t seen this you can easily view the details using Fiddler: ResponseHeader

Removing this is really only security by obscurity since there are other ways to identify if your web server is running IIS or not.  But I am a firm believer in adding as many layers of security to the mix, so I thought this effort might be worth investigating.

Thanks to Stefan Gossner I was able to find the necessary information.  (borrowing from his site) It turns out that nothing native in the IIS configuration will remove this feature.  In the IIS 5.0/6.0 worlds you would have to use URLScan to remove the Response Headers you didn’t want to send.  This isn’t possible in IIS 7 so you have to use another technique:  HttpModules.

Stefan provides a nice official way to accomplish this using a replace command and registering the module into the Global Assembly Cache (GAC).  I like to keep things loose and fast so I slightly modified the code to perform either a replacement or removal, and added the additional config info that allows you to simply add the module into the app_code folder.  Here are the easy steps:

First, create a new class object in the App_Code folder of your website root.  Call it anything you like, but in my example I called it HttpResponseServername.cs.  Add the following syntax:

using System;
using System.Web;

public class HttpResponseServerName : IHttpModule
{
    public void Init(HttpApplication context)
    { context.PreSendRequestHeaders += OnPreSendRequestHeaders; }

    public void Dispose()
    { }

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        // Modify Http Response Header "Server"
        HttpContext.Current.Response.Headers.Set("Server", "DSCODUC's Web Server");

        // Remove Http Response Header "Server"
        //HttpContext.Current.Response.Headers.Remove("Server");
    }
}

Next you need to add a section into your web.config file to call the module.  Edit your web.config file and add the following syntax:

<system.webServer>
  ...
  <modules>
    ...
    <add name="HttpResponseServerName" type="HttpResponseServerName"/>
    ...
  </modules>
  ...
</system.webServer>

That’s about all it takes to remove the Server response from the Response Header.  Let me know if you have any problems or issues with the instructions.

HttpResponseServerName.zip

Comments are closed.