Home > Software design >  Use HTACCESS to Remove SERVER_SOFTWARE from ServerVariables
Use HTACCESS to Remove SERVER_SOFTWARE from ServerVariables

Time:06-17

I am trying to remove SERVER_SOFTWARE from ServerVariables for security / PCI Compliance. We are running IIS 8.5 on Win Server 2012 R2 Standard.

I saw this, but it is modifying web.config. Host header (SERVER:) and URL Rewrite

I tried using "Header unset SOFTWARE" but i dont think it's being called correctly and I cannot figure out the correct setup. We are using Helicon ISAPI_Rewrite version 3.1.

Can this be done via HTACCESS?

I also tried doing the URL_REWRITE per here: https://port135.com/change-remove-response-headers/ I added the RESPONSE_Server variable, but it's still showing SERVER_SOFTWARE = Microsoft-IIS/8.5

Thanks.

CodePudding user response:

In IIS, the equivalent of .htaccess is web.config. I don't think it can be done via HTACCESS.

I suggest you try using a custom module to sanitize the in-app headers:

public class HeadersCleanupModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PostReleaseRequestState  = application_PostReleaseRequestState;
    }


    void application_PostReleaseRequestState(object sender, EventArgs e)
    {
        HttpContext.Current.Response.Headers.Remove("Server");
        HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
        HttpContext.Current.Response.Headers.Remove("ETag");
    }


}

Put it in root directory of your web project and register the module in Web.config:

<system.webServer>     
<modules>       
<add name="HeadersCleanupModule" type="WebApp.HeadersCleanupModule" />
</modules>

Hope this can help you.

CodePudding user response:

Looks like I fixed this. For anyone that finds this, I just removed everything and put it back in place manually in web.config as the FIRST item inside the system.webServer - it did NOT work using URL Rewrite. Note - i was trying to replace with "0", but that could have been part of the issue as well, not sure. This EXACT web.config text worked:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <outboundRules rewriteBeforeCache="true">
                <rule name="Remove Server header">
                    <match serverVariable="RESPONSE_Server" pattern=". " />
                    <action type="Rewrite" value="" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>
  • Related