Remove header information from IIS [RESOLVED]
You will often need to do the following to ensure your website is secure as possible, and stop the IIS version from been displayed when doing a scan on the server.
- Open “Internet Information Services (IIS) Manager“.
- If you want to apply the settings globally, click on your main server node: select IIS node
- Open the “Configuration Editor”
- To remove ‘x-aspnet-version‘ response header, go to
system.web >> httpRuntime >> enableVersionHeaderand set it to ‘false‘ - To remove the IIS ‘server’ response header, go to
system.webServer >> security >> requestFiltering >> removeServerHeaderand set it to ‘true‘
For setting the values per site, just click on the site you want to apply the changes, and select the Configuration Editor from there.
For example before you make the above changes a nmap scan may show
http-server-header:
Microsoft-HTTPAPI/2.0
|Microsoft-IIS/10.0
Following the above changes a nmap scan would show
http-server-header:
Microsoft-HTTPAPI/2.0
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.