Audit Square Advisory

Table of contents:

How to set “custom HTTP headers” in IIS?

Permanent link:

https://auditsquare.com/advisory/windows/iis-custom-http-headers

What is “HTTP header”?

When you are browsing the internet, there is the HTTP request made to a web server (like IIS), HTTP headers are transferred from the browser to the webserver and vice-versa. The HTTP Headers sent by IIS to the browser gives information like how to render the content or gives information about the web server software, version etc.

HTTP header fields are components of the message header of requests and responses in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction.

Non-standard headers fields were conventionally marked by prefixing the field name with X- like X-Powered-By or X-AspNet-Version headers.

Why is it a security issue?

Attackers are using all available information to achieve their goal. Good practice is to minimize opportunities and information disclosed to public internet. Information like that can be a version of web server service, used programming language or technology. So, that is not a big security issue, but you can do it.

How to fix it?

Internet Information Services 6.0

NOTE: IIS 6.0 was shipped with Windows Server 2003

Via GUI:

  • Click Start – Administrative Tools – Internet Information Services (IIS).
  • Right click on Web Sites – Properties, tab HTTP Headers, choose X-Powered-By (or another non-standard) header and click Remove.

IIS6

From command line:

  • Run a command prompt and write (all row including quotations): cscript C:\Inetpub\AdminScripts\adsutil.vbs SET /W3SVC/HttpCustomHeaders ""

Internet Information Services 7.x

NOTE: IIS 7.0 was shipped with Windows Vista and Windows 2008; IIS 7.5 was shipped with Windows 7 and Windows 2008 R2

Via GUI:

  • Go to Internet Information Services (IIS) Manager and choose HTTP Response Headers.

IIS7

  • Then select X-Powered-By header and click Remove.

IIS7

Using IIS7 Web.config file:

You can supress X-Powered-By header by editing the web.config (XML format) file in a following way:

  • add to the section:
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
   </httpProtocol>

You can supress X-AspNet-Version header by editing the web.config file in a following way:

  • edit or add the line to the httpRuntime section:
<httpRuntime enableVersionHeader="false" />