Question posted in 
I use the following custom headers and rewrite rules to remove server response headers IIS 8.5 but when open the network monitor on Firefox or Chrome and point to any file with status 404 (as well as missing images) or 302 (as well as missing directory or requested file in aspxerrorpath redirection) enables me to see the original headers.
For example Microsoft website is hiding this information and headers but visiting a URL like this will let me easily determine the server and IIS version which are:
Server Microsoft-IIS/10.0
X-AspNet-Version 4.0.30319
X-Powered-By ASP.NET
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By-Plesk" />
<add name="Server" value="CustomName" />
</customHeaders>
</httpProtocol>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Headers 1">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
<rule name="Remove Headers 2" patternSyntax="ExactMatch">
<match serverVariable="RESPONSE_SERVER" pattern=".*" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
Is there anyway to fix this from IIS 8.5 or Web.Config without having to do this from my ASP.NET C# code?
3
Answers
I don’t consider this to be a great answer, but it is a potential workaround depending on your site configuration. Experimentation with IIS 8.5 shows that the outbound rewrite rules are sufficiently ignored on a status code error handler (i.e. Error Pages response) or a 302 redirect in response to an error status that the Server header is left to default. However, if you redirect to a URL that is part of the site, then you will get the Outbound rewrite rule to fire.
So, something like this in the web.config will redirect to the root of the site and the outbound rule will fire.
<system.webServer>
<httpErrors>
<remove statusCode=”404″ subStatusCode=”-1″ />
<error statusCode=”404″ path=”/” responseMode=”ExecuteURL” />
</httpErrors>
</system.webServer>
If you can serve static content, you could add a file (say /errors/404.htm) and then change the path accordingly. When you get a 404 error, the 404.htm file will be returned and the outbound rule will fire. However, be aware that every error status will have this issue, so this will fix a 404, but other errors must be handled similarly.
The solution for this is to add your URL Rewrite rule, not at the site level in IIS Manager, but at the server level. You can also directly edit the applicationHost.config file located at C:WindowsSystem32inetsrvconfig on your web server. Either of these methods will cascade this rule down to each site you have in IIS. Before doing this, make sure to remove this rewrite rule that you may have already added for any child sites otherwise it will duplicate the rule when added at the server level and cause an error. I have confirmed this works in IIS 8.5.
I was able to remove the "Server: Microsoft-IIS/8.5" response header on default 404 error pages by adding "runAllManagedModulesForAllRequests="true"" to the tag in web.config. I had to do this for every site on the server. Fyi, this solution did not fix default 400 "Bad Request" error pages.
I have not tested performance after making this change. Others have said adding "runAllManagedModulesForAllRequests="true"" can result in a performance hit.
This solution was taken from Rick Strahl’s site: https://weblog.west-wind.com/posts/2012/oct/25/caveats-with-the-runallmanagedmodulesforallrequests-in-iis-78
Here is where to put it in your web.config file.