Bug in RemoveServerHeader attribute for IIS 10+

By | July 9, 2018

Alert

Bug in RemoveServerHeader attribute for IIS 10+

There is a bug in RemoveServerHeader for IIS 10+ as documented here. I documented the new attribute in IIS 10 here back in March 2018.

The description of the bug states:

The new removeServerHeader boolean property added in IIS 10 does not work for the very first request to a web application. If you fresh start/restart a web application with this property set in its web.config, and then send a fresh GET request to a page on the site, the Server header is still there. In subsequent requests, it is gone, as it should be.

My own observed symptom of the bug in RemoveServerheader is that is sometimes work and other times doesn’t. So some of the response will have it and others not. It is therefor a good idea to add a URL Rewrite as backup.

The rewrite rule will not remove the serverheader but will null it. Add the following to the web.config file of the application.

[Code lang=”xml”]








[/Code]

3 thoughts on “Bug in RemoveServerHeader attribute for IIS 10+

  1. James

    I have tried applying this but it does not always seem to work, any suggestions?

    Reply
    1. Wayne Clifford Barker Post author

      Hi James, you saying that the url re-write rule is not working? What version of IIS are you using?

      Reply
  2. Hakon

    It does not work when 404 for instance. Any suggestions?

    Reply

Leave a Reply

Your email address will not be published.