Introduction

If you look at a typical HTTP response header from an ASP.NET application running under IIS, it will look something like this:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:05:34 GMT
Connection: close

Here you notice IIS displaying its version information in a Server header, as response:

Server: Microsoft-IIS/8.0

Unfortunately you cannot really remove the Server header. But you can rewrite its content and empty it.

On IIS 7+ (IIS 7, 8.5, 8.0, 8.5, IIS 10.0), use a rewrite outboundRule to remove the web server version information from the Server: header response.

Install the Rewrite Rule Module

Before you can use the IIS Rewrite Rule, you will need to make sure that the IIS Rewrite Module feature is installed in your web server.

Open your Internet Information Services (IIS) Manager, and select any of your websites under Sites in the Connections panel:

IIS Console - URL Rewrite Highlighted

If you don’t see the module in the list, you’ll need to install it first.  You can download it from this location:

https://www.iis.net/downloads/microsoft/url-rewrite

Remove Server response header with an outboundRule URL Rewrite rule

You can use the following URL Rewrite Outbound rule:

<rewrite>    
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_Server" pattern=".+" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>Code language: HTML, XML (xml)

What the outboundRule does is: it looks for the header – or serverVariable – Server: in the output response stream, and rewrites the value with an empty string (nothing).

The end result is an empty Server: response header line:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:06:08 GMT
Connection: closeCode language: HTTP (http)

You’ve now successfully removed the Server version response from the HTTP headers!

This is a website-specific rule. If you want to create the rule for all of your applications, you have to create the rule at the server level. Also, some applications, especially third party applications, may require and depend on the Server header. Then you may need to remove this rule for those applications.