Why You Should Remove HTTP Headers in IIS - and How to do it
2 min read
By default, IIS will add a number of HTTP Headers to outgoing responses, indicating details about the server where the site is hosted. Common examples of such are ‘Server’ and ‘X-Powered-By’, which indicate the current server and hints at the underlying tech stack.
These headers aren’t necessary for the site or IIS to run, and so are simply informational. For this reason, they should be removed for production sites as they allow a potential attacker to infer information about the hosted environment, which could allow the attacker to find a vulnerability if the particular version of (e.g IIS, ASP) is disclosed.
The instructions below relate to Google Chrome & the associated Developer Tools, though any browser that allows you to view headers should do the job.
1. View HTTP Headers
Open up Chrome’s Developer Tools and navigate to or refresh a page from the ‘Network’ tab. If you click on a resource it will open up another pane to the right, which indicates the Headers as well as other information.
From here, you’re interested in the ‘Response Headers’.
Manage HTTP Headers using URL Rewrite
The instructions below are based off IIS 10.5, though I believe all versions from 7+ should be largely the same. To remove the information disclosure from headers, the IIS URL Rewrite 2 module should be installed.
For clarification, when saying headers are ‘removed’, this refers to removing the value rather than the header in its entirety.
This section will need the IIS Url Rewrite module to be installed, as specified earlier. Depending on the use case, this can be applied at the server or site level.
Add a Server Variable
First we need to add a server variable, so that we can update the value via rewrite rules.
Select the ‘Url Rewrite’ feature in IIS and click ‘View Server Variables…’ on the right hand side, and add a variable with the name ‘RESPONSE_SERVER’. For ease, I would add this to the server (i.e the top node with the name of the server in the ‘Connections’ tree in IIS), rather than the individual site.
Add a Rewrite Rule
Return to the main Url Rewrite feature page, and add a new outbound rule in IIS – make sure not to use the ‘inbound rule’ template.
The outbound rule should be set up as per the screenshot below. Please ensure the pattern is ‘.*’exactly (i.e match any character 0 or more times).
To test the changes, simply fire up the website and check the results in Developer Tools. Job done!