Bug in RemoveServerHeader attribute for IIS 10+
The description of the bug states:
The new removeServerHeader boolean property added in IIS 10 does not work for the very first request to a web application. If you fresh start/restart a web application with this property set in its web.config, and then send a fresh GET request to a page on the site, the Server header is still there. In subsequent requests, it is gone, as it should be.
My own observed symptom of the bug in RemoveServerheader is that is sometimes work and other times doesn’t. So some of the response will have it and others not. It is therefor a good idea to add a URL Rewrite as backup.
The rewrite rule will not remove the serverheader but will null it. Add the following to the web.config file of the application.
<rewrite> <outboundRules rewriteBeforeCache="true"> <rule name="Remove Server header"> <match serverVariable="RESPONSE_Server" pattern=".+" /> <action type="Rewrite" value="" /> </rule> </outboundRules> </rewrite>