IIS7 Response header exposes server information when post request is incomplete

Posted on

IIS7 Response header exposes server information when post request is incomplete – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about windows, security, iis-7, http-headers, .

IIS reveals “Server: Microsoft-HTTPAPI/2.0” in the response header when a invalid Post request is made. e.g. content-length is not included in the header. The Response returned also says HTTP/1.1 411 Length Required.

the closest case i have found was this forum post at iis.net: http://forums.iis.net/t/1178183.aspx/1 but still not having any luck.

i have also attempted to implement this: http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx and it doesnt stop the server header from being added / renamed

My client is asking for all “Server” headers to be removed as part of their security requirements. (don’t ask me why, i’m just the schmuck who just has to get it done)

anyone encounter this before?

Solution :

Stumbled on Paul Bouwer’s blog.

Turns out that when the “Microsoft-HTTPAPI/2.0” server header appears, it means that the HTTP.SYS driver has handled the request and it never gets to IIS for processing. makes sense, why waste time sending to IIS when you can tackle an invalid request as early as possible.

in order to stop HTTP.SYS from adding the server header a REG_DWORD needs to be added to
the registry: HKLMSYSTEMCurrentControlSetServicesHTTPParameters

add a REG_DWORD called “DisableServerHeader” with a value of 1.

I wasnt keen on trying to find a way to restart the driver and deal with the dependencies so i rebooted the machine.

after reboot, tested with Fiddler and everything worked fine.

Leave a Reply

Your email address will not be published. Required fields are marked *