This section should be set inside the web.config file. Removing server header prevents the disclosure of the web server name and version, which is a neccessary security measure to protect IIS
For IIS 10:
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
For an older IIS, install url rewrite module and add this:
<rewrite>
<outboundRules>
<rule name="remove server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
Add this to remove the X-Powered-By header
<system.webServer>
...
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
Additional security headers can be found here:
Or add these
<add name="X-XSS-Protection" value="1"/>
<add name="Content-Security-Policy" value="script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="Referrer-Policy" value="no-referrer"/>
<add name="X-Frame-Options" value="DENY"/>
Tags
IIS