Remove Version Headers from IIS

The IIS sends the following headers for each request:

• Server - Specifies the IIS server version.

• X-AspNet-Version - Specifies the version of ASP.NET framework used.

It is recommended to remove identifiers from software, such as application servers and web servers, to limit the amount of information obtained by a potentially hostile party. The applications running on ASP.NET using IIS have such identifiers turned ON by default. It is recommended that these headers be removed from the response IIS generates for both non-secure (HTTP) and secure (HTTPS) installations.

To rewrite the values for these headers:

1. Install the compatible version of the URL Rewrite module for IIS. For information, refer to https://www.iis.net/downloads/microsoft/url-rewrite.

2. Open <ISM Installation path>/Client.

3. Open web.config in a text editor.

4. In the <system.webServer> section, paste the following:

   <rewrite>
   <outboundRules>
   <rule name="Remove Server header">
   <match serverVariable="RESPONSE_Server" pattern=".+" />
   <action type="Rewrite" value="" />
   </rule>
   
   <rule name="Remove X-ASPNet-Version header">
   <match serverVariable="RESPONSE_X_ASPNet_Version" pattern=".+" />
   <action type="Rewrite" value="" />
   </rule>
   </outboundRules>
   </rewrite>

5. Reset IIS.

The header can also be removed instead of being rewritten. This may be subject to the server setup and configuration requirements and at the discretion of your system administrator. Use UrlScan 3.1 to remove the headers completely. For information, refer to http://www.iis.net/learn/extensions/working-with-urlscan/urlscan-overview. After installing and configuring the tool, set the RemoveServerHeader and AllowDotInPath option to 1 in the URLScan.ini file.