IIS 10 on Windows Server 2016. All current patches are installed. A recent PCI scan claims that the internal IP address of the server is being leaked in HTTP headers. Unfortunately, this scanning company does not give you any details as to how they reached this conclusion so that I can reproduce it. All of my research seems to indicate that this is not an issue in IIS 10, only older versions of IIS. I do have URL rewrite rules that use redirect for ensuring connections are https, and that they have www in the host name.
<rule name="HTTPS Redirect">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
<rule name="Redirect to www">
<match url="(.*)" />
<conditions trackAllCaptures="false">
<add input="{HTTP_HOST}" pattern="^example\.com$" />
</conditions>
<action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />
</rule>
What is causing the server to leak the internal IP address, and how can I prevent it? I have tried using curl -lkL example.com but I do not see the IP address in any of the returned headers.