How do i suppress or remove the HTTP response header 'Server: Microsoft-HTTPAPI/2.0'? Penetration testing has revealed that it is a security vulnerability to disclose the server platform.
I have a self-hosted asp.net core web application running on Windows Server 2019 and am using Http.Sys instead of Kestrel since I need NTML authentication.
According to Microsoft, the response header can be turned off via the registry, but it does not work for me. I have set the DisableServerHeader to 2 in the registry per HTTP.SYS registry settings and rebooted the server.
Update, I found the issue! I failed to enter the parameter name correctly, a traling space was revealed when I exported the key. It works as expected after removing the space and rebooting the server.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader "=dword:00000002
I resolved the issue by entering the correct parameter name in the registry. It was a copy paste error, the key name had a trailing space.
The key no longer ends with a space and everything works as expected.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader"=dword:00000002