I want to hide the IIS version in my web server response. I am trying to do this via URLRewrite for my website.
My web.config looks like so:
<rewrite>
<outboundRules>
<rule name="RewriteServerSoftware" stopProcessing="true">
<match serverVariable="SERVER_SOFTWARE" pattern="." />
<action type="Rewrite" value="MyServer" replace="true" />
</rule>
</outboundRules>
</rewrite>
This however does not seem to remove the value of Server:Microsoft-IIS/8.0. What might I be missing?
My environment is Windows Server 2012 R2 and IIS 8.0, hosting an ASP.NET website
The correct server variable name is: RESPONSE_Server which follows the RESPONSE_headername format.
So your config should be:
<rewrite>
<outboundRules>
<rule name="RewriteServerSoftware" stopProcessing="true">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="MyServer" replace="true" />
</rule>
</outboundRules>
</rewrite>
One additional thing to note is that if you're using IIS 10.0 you also might need to add the following to your web.config:
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
In my case with IIS 10.0 only using both URL-Rewrite and the removeServerHeader worked.
More Info: https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/