3

How do i suppress or remove the HTTP response header 'Server: Microsoft-HTTPAPI/2.0'? Penetration testing has revealed that it is a security vulnerability to disclose the server platform.

I have a self-hosted asp.net core web application running on Windows Server 2019 and am using Http.Sys instead of Kestrel since I need NTML authentication.

According to Microsoft, the response header can be turned off via the registry, but it does not work for me. I have set the DisableServerHeader to 2 in the registry per HTTP.SYS registry settings and rebooted the server.

  1. If I do not add a response header, it will be added automatically. Server: Microsoft-HTTPAPI/2.0
  2. If I add a response header, the value will be added automatically. Server: my-dumy-value Microsoft-HTTPAPI/2.0

Update, I found the issue! I failed to enter the parameter name correctly, a traling space was revealed when I exported the key. It works as expected after removing the space and rebooting the server.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader "=dword:00000002
4

3 回答 3

1

There seems to be no code solution to remove the HTTP header from the server on the host. One solution is to edit the Windows registry.

You can add a registry value so HTTP.sys doesn't include the header.

1.Open Regedit

2.Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

3.If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.

4.Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"

Reference: https://docs.microsoft.com/ru-ru/archive/blogs/dsnotes/wswcf-remove-server-header

于 2021-08-31T06:28:33.787 回答
0

I resolved the issue by entering the correct parameter name in the registry. It was a copy paste error, the key name had a trailing space.

The key no longer ends with a space and everything works as expected.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader"=dword:00000002
于 2021-08-31T12:04:52.370 回答
-1

Have you tried configuring requestFilter with removeServerHeader in your IIS

Refer : RequestFilter

By default it is set as false , you can set as true refer for more

于 2021-08-30T12:02:36.030 回答