Bug in RemoveServerHeader attribute for IIS 10+


Bug in RemoveServerHeader attribute for IIS 10+

There is a bug in RemoveServerHeader for IIS 10+ as documented here. I documented the new attribute in IIS 10 here back in March 2018.

The description of the bug states:

The new removeServerHeader boolean property added in IIS 10 does not work for the very first request to a web application. If you fresh start/restart a web application with this property set in its web.config, and then send a fresh GET request to a page on the site, the Server header is still there. In subsequent requests, it is gone, as it should be.

My own observed symptom of the bug in RemoveServerheader is that is sometimes work and other times doesn’t. So some of the response will have it and others not. It is therefor a good idea to add a URL Rewrite as backup.

The rewrite rule will not remove the serverheader but will null it. Add the following to the web.config file of the application.

<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />

Leave a Reply

2 Comment threads
1 Thread replies
Most reacted comment
Hottest comment thread
3 Comment authors
HakonWayne Clifford BarkerJames Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

newest oldest most voted
Notify of

I have tried applying this but it does not always seem to work, any suggestions?


It does not work when 404 for instance. Any suggestions?