IIS 10 on Windows Server 2016. All current patches are installed. A recent PCI scan claims that the internal IP address of the server is being leaked in HTTP headers. Unfortunately, this scanning company does not give you any details as to how they reached this conclusion so that I can reproduce it. All of my research seems to indicate that this is not an issue in IIS 10, only older versions of IIS. I do have URL rewrite rules that use redirect for ensuring connections are https, and that they have www in the host name.
<rule name="HTTPS Redirect">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Redirect to www">
<match url="(.*)" />
<conditions trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^example\.com$" />
</conditions>
<action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />
</rule>
What is causing the server to leak the internal IP address, and how can I prevent it? I have tried using curl -lkL example.com but I do not see the IP address in any of the returned headers.
To replicate what they were trying, do the following;
This might be exposed through the HTTP response header. Check your header general information in the browser developer tool. Attached is the screenshot from the local application so it is just showing local address. May be rewrite the server variable before sending the response can help here.