I am trying to remove SERVER_SOFTWARE from ServerVariables for security / PCI Compliance. We are running IIS 8.5 on Win Server 2012 R2 Standard.
I saw this, but it is modifying web.config. Host header (SERVER:) and URL Rewrite
I tried using "Header unset SOFTWARE" but i dont think it's being called correctly and I cannot figure out the correct setup. We are using Helicon ISAPI_Rewrite version 3.1.
Can this be done via HTACCESS?
I also tried doing the URL_REWRITE per here: https://port135.com/change-remove-response-headers/ I added the RESPONSE_Server variable, but it's still showing SERVER_SOFTWARE = Microsoft-IIS/8.5
Thanks.
Looks like I fixed this. For anyone that finds this, I just removed everything and put it back in place manually in web.config as the FIRST item inside the system.webServer - it did NOT work using URL Rewrite. Note - i was trying to replace with "0", but that could have been part of the issue as well, not sure. This EXACT web.config text worked:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>