Share via

Server information disclosure

Paras Nogia 0 Reputation points
2026-06-09T05:57:30.7033333+00:00

we are getting a server information disclosed as the part of the API response. This API is hosted on the Windows VM of the azure cloud. Please suggest how we can remove the header with the server information.

User's image

Windows development | Internet Information Services
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tom Tran (WICLOUD CORPORATION) 5,050 Reputation points Microsoft External Staff Moderator
    2026-06-09T07:01:13.3566667+00:00

    Hi @Paras Nogia ,

    Based on the screenshot, the server information being disclosed is:

    Server: Microsoft-HTTPAPI/2.0

    This header is returned by HTTP.sys, not by the application code itself. Since the response also shows 400 Bad Request - Invalid Hostname, the request may be getting rejected before it reaches the IIS site or the ASP.NET Core API.

    For this specific header, one thing worth checking is the HTTP.sys registry setting on the Windows VM. Create or update the following DWORD value:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
DisableServerHeader = 1

    Microsoft documents this setting in Http.sys registry settings for Windows. A value of 1 stops HTTP.sys from appending the Server header for responses generated by HTTP.sys, such as 400 and 503 responses.

    You can add it from an elevated Command Prompt or PowerShell window:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v DisableServerHeader /t REG_DWORD /d 1 /f

    After making the change, restart the HTTP service and related IIS services, or reboot the VM during a maintenance window for the change to take effect.

    You may also want to check why the request is returning 400 Bad Request - Invalid Hostname. This often happens when the request host name does not match the expected IIS site binding. You can check the HTTP.sys error log here:

    C:\Windows\System32\LogFiles\HTTPERR\httperr.log

    If the information I provided was helpful, I would greatly appreciate it if you could follow the instructions here so others with the same problem can benefit as well. 

    Was this answer helpful?

  2. AI answer

    2026-06-09T05:57:45.85+00:00

    In IIS on a Windows VM, the Server HTTP response header is added by the web server itself. To prevent server information disclosure, configure IIS to remove or overwrite this header at the web‑server level.

    A common hardening approach is:

    1. Configure IIS to stop sending the default Server header (for example, by using a URL Rewrite outbound rule or a custom module) so that the header is either removed or replaced with a generic value.
    2. Ensure that no application code or reverse proxy in front of IIS re‑adds a more detailed Server header.
    3. After configuration, test with a tool such as a browser dev tools network tab or curl to confirm that responses no longer expose Windows/IIS version details.

    This aligns with general guidance on avoiding information disclosure: do not expose confidential or system‑specific data in protocol metadata such as headers.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.