This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 9%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
We host some of our .Net web apps in an Azure Web App on a shared plan. A security audit showed that in certain cases the HTTP Server header is returned, identifying the server running "Microsoft-IIS/10.0". We are already using the "removeServerHeader" attribute set to “true” in web.config. Also we are using the customHeaders remove elements to remove certain headers. So in most cases no Server header gets sent.
However, there is a specific case where the Server header is sent: when requesting it using a HTTP 1.0 request. When I open a Telnet connection to port 80 of my web app and send the following GET request:
GET / HTTP/1.0
I get the following response:
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/10.0
Date: Tue, 06 Oct 2020 13:47:22 GMT
Connection: close
Content-Length: 2778
Can this be prevented?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 52%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYK%3C/text%3E%3C/svg%3E)
Apparently error response codes may go through a different pipeline... runAllManagedModulesForAllRequests="true" fixed issue for this person on 404 errors (check ref site for other options)
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
</modules>
</system.webServer>
removeServerHeader" attribute set to false in web.config
shouldn't it be set to true if you don't want to send Server header?
Yeah, sorry. That’s a typo. We’ve set it to the proper value. But as I said, the problem happens outside of our web app, so web.config has no effect.
Sorry for my delayed response here but I feel that this question deserves a good answer.
One way that I can think of is to have this use system.webServer rather than system.web which is application specific. I've tested this on a normal html file and it works as expected. Let me know if this works for you.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader ="true" />
</security>
</system.webServer>
</configuration>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 6%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
So, I have the same problem and I already have this configuration on my web.config, but the problem persists, because, the issue is related to the HTTP protocol version, specifically the 1.0, the HTTP 1.1 is what IIS uses by default, but the problem comes with the HTTP 1.0. So, this answer only works for the HTTP 1.1.