Stefan Goßner

Senior Escalation Engineer for SharePoint Products and Technologies

IIS 7 – How to send a custom "Server" http header

A question we have often seen in the past is to have a method to prevent IIS from sending the server identification header to a client which allows a client to identify which type of http server it is talking too. Usually this request comes from security concerns as knowing the server would allow a hacker to more easily be able to break into the system.

Although the above assumption from customers is very doubtable we still need to be able to provide a solution for this.

Out of the box all our IIS servers respond with a server header similar to the following (sample is for IIS 6.0):

Server: Microsoft-IIS/6.0

For IIS 5 and IIS 6 customers often used UrlScan which allows to remove the server header from the response.

On IIS 7 this tool cannot be installed – but due to the very modular structure of IIS 7 it is possible to remove or even replace the Server header in a much more convenient way: using a custom Module which is injected into the IIS 7 Pipeline. Such a module can be developed as well using managed or unmanaged code.

Here is a sample .Net module which replaces the server http header with a custom header:

using System;
using System.Text;
using System.Web;

namespace StefanG.ServerModules
    public class CustomServerHeaderModule : IHttpModule
        public void Init(HttpApplication context)
            context.PreSendRequestHeaders += OnPreSendRequestHeaders;

        public void Dispose()
        { } 

        void OnPreSendRequestHeaders(object sender, EventArgs e)
            // modify the “Server” Http Header
            HttpContext.Current.Response.Headers.Set(“Server”“Stefan’s Webserver”);

That’s it! When generating this module ensure to strong name it as it needs to be placed into the global assembly cache in order to allow IIS 7 to use it. To add the module to IIS 7 use the “Modules” configuration option on the server, choose “Add managed module” and select the module from the list of available modules.