Hey everyone,
I'm having a major issue dealing with response headers on a .Net 2.0 (classic mode) app on Windows Server 2008 R2 under IIS 7.5. I have been attempting unsuccessfully to remove the "Server" response header from HTTP responses (in order to pass a security
validation test from a major client). I have attempted the following:
- Create a DWORD parameter at "HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\" named "DisableServerHeader" set to 1
- Use UrlRewrite 2.0 to modify the outbound "RESPONSE_Server" response header; here is the web.config xml generated by IIS's UrlRewrite 2.0 wizard:
<outboundRules rewriteBeforeCache="true"><rule name="Remove Server header"><match serverVariable="RESPONSE_SERVER" pattern=".*" /><action type="Rewrite" value="test" /></rule></outboundRules>
I ensured that I added the "RESPONSE_SERVER" as an "Allowed Server Variable" as well. I also tried setting this globally for IIS as well, with no luck.
- In addition, UrlRewrite 2.0 just doesn't seem to work AT ALL for any parameter that I try to modify, even a custom parameter that I added on my own
- Finally, I didn't install UrlScan as my research indicated that it only worked up to IIS 7.0 and I'm running 7.5.
Does anyone have any clue as to what I'm doing wrong? Is there some mystical configuration option that I'm missing? I can't believe that UrlRewrite isn't working here!
Thank you for your time