.htaccesswindows-server-2012-r2iis-8.5helicontech

Use HTACCESS to Remove SERVER_SOFTWARE from ServerVariables


I am trying to remove SERVER_SOFTWARE from ServerVariables for security / PCI Compliance. We are running IIS 8.5 on Win Server 2012 R2 Standard.

I saw this, but it is modifying web.config. Host header (SERVER:) and URL Rewrite

I tried using "Header unset SOFTWARE" but i dont think it's being called correctly and I cannot figure out the correct setup. We are using Helicon ISAPI_Rewrite version 3.1.

Can this be done via HTACCESS?

I also tried doing the URL_REWRITE per here: https://port135.com/change-remove-response-headers/ I added the RESPONSE_Server variable, but it's still showing SERVER_SOFTWARE = Microsoft-IIS/8.5

Thanks.


Solution

  • Looks like I fixed this. For anyone that finds this, I just removed everything and put it back in place manually in web.config as the FIRST item inside the system.webServer - it did NOT work using URL Rewrite. Note - i was trying to replace with "0", but that could have been part of the issue as well, not sure. This EXACT web.config text worked:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <rewrite>
                <outboundRules rewriteBeforeCache="true">
                    <rule name="Remove Server header">
                        <match serverVariable="RESPONSE_Server" pattern=".+" />
                        <action type="Rewrite" value="" />
                    </rule>
                </outboundRules>
            </rewrite>
        </system.webServer>
    </configuration>