Bug in RemoveServerHeader attribute for IIS 10+

By | July 9, 2018

Alert

Bug in RemoveServerHeader attribute for IIS 10+

There is a bug in RemoveServerHeader for IIS 10+ as documented here. I documented the new attribute in IIS 10 here back in March 2018.

The description of the bug states:

The new removeServerHeader boolean property added in IIS 10 does not work for the very first request to a web application. If you fresh start/restart a web application with this property set in its web.config, and then send a fresh GET request to a page on the site, the Server header is still there. In subsequent requests, it is gone, as it should be.

My own observed symptom of the bug in RemoveServerheader is that is sometimes work and other times doesn’t. So some of the response will have it and others not. It is therefor a good idea to add a URL Rewrite as backup.

The rewrite rule will not remove the serverheader but will null it. Add the following to the web.config file of the application.

<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>

2
Leave a Reply

avatar
1 Comment threads
1 Thread replies
2 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
Wayne Clifford BarkerJames Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
James
Guest
James

I have tried applying this but it does not always seem to work, any suggestions?