IIS is, by default, a bit too damn chatty, which isn’t what you want if you’re trying to harden your server:
You can check this with a site like SecurityHeaders.io, which will review all your HTTP Headers for you. It’s very good, I recommend it.
Why would I need to tell the world what ASP version, webserver, etc. that I’m using? Isn’t this just helping potential attackers? Well, yes. How do you remove these headers, though?
I can’t think of a legitimate reason to send details of what webserver you’re using to a client, but IIS does seem particularly determined to do so.
To remove the server tag is actually the fiddliest of these tags. The very best way is using the IIS URL Rewrite module. This isn’t a standard install – but it is very commonly used, and it’s reliable. Most of our customers use it.
Essentially, what you do is configure an outbound rule that matches the Server HTTP Header, and replaces it with empty text. Full description by Scott Helme here. He does it manually through IIS, or you can do this with a web.config modification:
<rule name="Remove Server Response Header">
<match serverVariable="RESPONSE_SERVER" pattern=".*" />
<action type="Rewrite" />
Otherwise, you’re looking at installing URLScan, or trying a Registry edit that may or may not work. See: http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx
What were they thinking? Why is this so hard?
This is configured as a header for the entire of IIS, and I can’t see a good reason to leak this information (other than bragging). Go to your IIS instance, HTTP Response Headers and remove it:
That should zap it for the whole webserver. You can do this on a per-site basis, but that’s not as fun.
It can also be done in your Web.config:
<remove name="X-Powered-By" />
Another Change to web.config:
<httpRuntime enableVersionHeader="false" />
In Global.asax.cs add:
protected void Application_Start()
MvcHandler.DisableMvcResponseHeader = true;
That apparently does it. And I love that it’s inconsistent with all the others.