A question we have often seen in the past is to have a method to prevent IIS from sending the server identification header to a client which allows a client to identify which type of http server it is talking too. Usually this request comes from security concerns as knowing the server would allow a hacker to more easily be able to break into the system.
Although the above assumption from customers is very doubtable we still need to be able to provide a solution for this.
Out of the box all our IIS servers respond with a server header similar to the following (sample is for IIS 6.0):
For IIS 5 and IIS 6 customers often used UrlScan which allows to remove the server header from the response.
On IIS 7 this tool cannot be installed - but due to the very modular structure of IIS 7 it is possible to remove or even replace the Server header in a much more convenient way: using a custom Module which is injected into the IIS 7 Pipeline. Such a module can be developed as well using managed or unmanaged code.
Here is a sample .Net module which replaces the server http header with a custom header:
public class CustomServerHeaderModule : IHttpModule
public void Init(HttpApplication context)
context.PreSendRequestHeaders += OnPreSendRequestHeaders;
public void Dispose()
void OnPreSendRequestHeaders(object sender, EventArgs e)
// modify the "Server" Http Header
HttpContext.Current.Response.Headers.Set("Server", "Stefan's Webserver");
That's it! When generating this module ensure to strong name it as it needs to be placed into the global assembly cache in order to allow IIS 7 to use it. To add the module to IIS 7 use the "Modules" configuration option on the server, choose "Add managed module" and select the module from the list of available modules.