Bug in RemoveServerHeader attribute for IIS 10+

Alert

Bug in RemoveServerHeader attribute for IIS 10+

There is a bug in RemoveServerHeader for IIS 10+ as documented here. I documented the new attribute in IIS 10 here back in March 2018.

The description of the bug states:

The new removeServerHeader boolean property added in IIS 10 does not work for the very first request to a web application. If you fresh start/restart a web application with this property set in its web.config, and then send a fresh GET request to a page on the site, the Server header is still there. In subsequent requests, it is gone, as it should be.

My own observed symptom of the bug in RemoveServerheader is that is sometimes work and other times doesn’t. So some of the response will have it and others not. It is therefor a good idea to add a URL Rewrite as backup.

The rewrite rule will not remove the serverheader but will null it. Add the following to the web.config file of the application.

<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
0 0 vote
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
James
James
2 years ago

I have tried applying this but it does not always seem to work, any suggestions?

Hakon
Hakon
2 years ago

It does not work when 404 for instance. Any suggestions?