How do i suppress or remove the HTTP response header 'Server: Microsoft-HTTPAPI/2.0'? Penetration testing has revealed that it is a security vulnerability to disclose the server platform.
I have a self-hosted asp.net core web application running on Windows Server 2019 and am using Http.Sys instead of Kestrel since I need NTML authentication.
According to Microsoft, the response header can be turned off via the registry, but it does not work for me. I have set the DisableServerHeader to 2 in the registry per HTTP.SYS registry settings and rebooted the server.
- If I do not add a response header, it will be added automatically. Server: Microsoft-HTTPAPI/2.0
- If I add a response header, the value will be added automatically. Server: my-dumy-value Microsoft-HTTPAPI/2.0
Update, I found the issue! I failed to enter the parameter name correctly, a traling space was revealed when I exported the key. It works as expected after removing the space and rebooting the server.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader "=dword:00000002