Let's Talk

Share some details about yourself

How would you like us to contact you?

Select the areas you're interested in

Add further information about your project

Thanks for getting in touch.

Your request has been submitted and we will be contacting you shortly.

Sorry, there was a problem submitting your request. Please email us at [email protected] or call us on 0161 971 3200

 

Back to Articles

Why You Should Remove HTTP Headers in IIS - and How to do it

October 2018 2 min read

By default, IIS will add a number of HTTP Headers to outgoing responses, indicating details about the server where the site is hosted. Common examples of such are ‘Server’ and ‘X-Powered-By’, which indicate the current server and hints at the underlying tech stack.

These headers aren’t necessary for the site or IIS to run, and so are simply informational. For this reason, they should be removed for production sites as they allow a potential attacker to infer information about the hosted environment, which could allow the attacker to find a vulnerability if the particular version of (e.g IIS, ASP) is disclosed.

The instructions below relate to Google Chrome & the associated Developer Tools, though any browser that allows you to view headers should do the job.

 

1. View HTTP Headers

Open up Chrome’s Developer Tools and navigate to or refresh a page from the ‘Network’ tab. If you click on a resource it will open up another pane to the right, which indicates the Headers as well as other information.

From here, you’re interested in the ‘Response Headers’. 

Manage HTTP Headers using URL Rewrite

The instructions below are based off IIS 10.5, though I believe all versions from 7+ should be largely the same. To remove the information disclosure from headers, the IIS URL Rewrite 2 module should be installed.

For clarification, when saying headers are ‘removed’, this refers to removing the value rather than the header in its entirety.

Remove Server

This section will need the IIS Url Rewrite module to be installed, as specified earlier. Depending on the use case, this can be applied at the server or site level.

Add a Server Variable

First we need to add a server variable, so that we can update the value via rewrite rules.

Select the ‘Url Rewrite’ feature in IIS and click ‘View Server Variables…’ on the right hand side, and add a variable with the name ‘RESPONSE_SERVER’. For ease, I would add this to the server (i.e the top node with the name of the server in the ‘Connections’ tree in IIS), rather than the individual site.

Add a Rewrite Rule

Return to the main Url Rewrite feature page, and add a new outbound rule in IIS – make sure not to use the ‘inbound rule’ template.

The outbound rule should be set up as per the screenshot below. Please ensure the pattern is ‘.*’exactly (i.e match any character 0 or more times).

Testing

To test the changes, simply fire up the website and check the results in Developer Tools. Job done!

Written by Chris Gray Infrastructure Manager

The views expressed in this article are solely those of the author unless explicitly stated. Unless of course, the article made you laugh, in which case, all credit should be directed towards our marketing department.