All Products
Search

This Product

    :How do I hide the IIS server version in the response header of an IIS web service?

    Document Center

    :How do I hide the IIS server version in the response header of an IIS web service?

    Last Updated:Apr 09, 2025

    Internet Information Services (IIS) is a web service component launched by Microsoft for the Windows operating system. IIS provides a complete set of features for building web services in the Windows operating system, such as the website and FTP services. This topic describes how to hide the server version in the response header of an IIS web service.

    Background information

    By default, the response header of an IIS web service in the Windows Server operating system includes the server version. Attackers may exploit known vulnerabilities to attack your service based on the server version. You can hide the server version by modifying the default IIS configurations.

    image

    Procedure

    Note

    Before you modify the configurations of an instance, back up the configuration file or create snapshots to ensure data security.

    The following section describes how to use the URL Rewrite component to hide the IIS server version in the response header of the IIS web service. In this example, IIS 10.0 is used.

    1. Check whether the URL Rewrite component is installed.

      1. On your Windows Server instance, open Server Manager and click IIS in the left-side navigation pane.

      2. In the SERVERS section, right-click the server name and select Internet Information Services (IIS) Manager.

        image

      3. In the left-side navigation pane of the Internet Information Services (IIS) Manager window, click the name of the server you want to manage. If the URL Rewrite component appears on the IIS tab on the right, the URL Rewrite component is installed. If the URL Rewrite component does not appear, install the component. For more information, see URL Rewrite: The Official Microsoft IIS Site.

    2. Modify the IIS configuration file to hide the IIS server version in the response header.

      1. In the Internet Information Services (IIS) Manager window, click the server name, click Sites, select your website, and then click Explore on the right to open the root directory of the website.

        image

      2. Create a new or open the web.config configuration file in the root directory.

        1. Create the web.config configuration file and add the following code.

        2. Open an existing web.config configuration file and add the following XML configurations based on the existing content. Make sure that the modified configuration file meets the XML format requirements. 

          <?xml version="1.0" encoding="utf-8"?>
<configuration>
   <location path="." inheritInChildApplications="false">
       <system.webServer>
           <rewrite>
               <outboundRules>
                   <rule name="REMOVE_RESPONSE_SERVER">
                       <match serverVariable="RESPONSE_SERVER" pattern=".*" />
                       <action type="Rewrite" />
                   </rule>
               </outboundRules>
           </rewrite>
       </system.webServer>
   </location>
</configuration>

    3. Check whether the modifications take effect.

      Access the website by using a browser and use the developer tool to check whether the IIS server version in the response header is empty. The response header in the following figure indicates that the IIS server version is hidden.

      image

    References