I need to remove the 'Server' header from all http requests coming to my IIS site due to PCI DSS scanning restrictions. I am running the latest version of Windows Server 2016 using the latest version of IIS 10. The IIS Request Filtering role is installed in Roles and Features.
My configuration file looks like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
</configuration>
I am serving a static file, for the purposes of this test, it is called index.html
and contains <html></html>
.
After creating the config file, restarting IIS, and requesting the file, IIS is still sending the Server header:
The only other way I know of is to install the IIS-rewrite module, however this is extremely undesirable as we are running a server farm and this would need to be done to multiple servers and server images.
Are there any other things I can try to get request filtering working?
Is there any other way to remove the Server header which doesn't require IIS-rewrite?
P.S. I can reproduce this on multiple servers by creating a new site in IIS, and creating an index file and a web config as above - it feels like i'm missing something obvious.
0 Answers