Removing server header from IIS

IIS

This section should be set inside the web.config file. Removing server header prevents the disclosure of the web server name and version, which is a neccessary security measure to protect IIS

For IIS 10:


<system.webServer>
    <security>
        <requestFiltering removeServerHeader="true" />
    </security>
</system.webServer>

For an older IIS, install url rewrite module and add this:


<rewrite>
	<outboundRules>
		<rule name="remove server header">
			<match serverVariable="RESPONSE_Server" pattern=".+" />
			<action type="Rewrite" value="" />
		</rule>
	</outboundRules>
</rewrite>

Add this to remove the X-Powered-By header


<system.webServer>
  ...
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
  ...
</system.webServer>

Additional security headers can be found here:

Or add these


<add name="X-XSS-Protection" value="1"/>
<add name="Content-Security-Policy" value="script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="Referrer-Policy" value="no-referrer"/>
<add name="X-Frame-Options" value="DENY"/>

Post a Comment

Previous Post Next Post