I'm trying to remove Microsoft-HTTPAPI/2.0 server header from my HTTP responses following this article form MSDN. Currently I'm applying the registry-based solution on Windows Server 2008 R2 and Windows 10 to no luck. I still receive the headers whenever I send an HTTP request with empty Host
header.
curl -X GET "127.0.0.1" -H "Host:" --head
The command above returns HTTP 400 Bad Request with Server: Microsoft-HTTPAPI/2.0
.
Is there any newer approach to remove the particular header? I know this was asked before for IIS 7 (which probably the solution still works), but reboot doesn't cure the problem on those two Windows I have mentioned above.
Thank you in advance.
ps. I know its kind of security in obscurity, but auditors wants it.
Best Answer
If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).
You can test this by throwing an error using CURL:
You will see something like this if your server is sending the header:
You can add a registry value so HTTP.sys doesn't include the header.
Reference: WS/WCF: Remove Server Header
After you add the registry key, the response looks like this:
Posting here so people who need this can find it. (Thanks, Oram!)