How to Remove Microsoft-HTTPAPI/2.0 Header on IIS 8 and 10
If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).
You can test this by throwing an error using CURL:
curl -v http://www.yourdomain.com/ -H "Range: bytes=00-18446744073709551615"
You will see something like this if your server is sending the header:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
You can add a registry value so HTTP.sys doesn't include the header.
- Open Regedit
- Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
- If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
- Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"
Reference: WS/WCF: Remove Server Header
After you add the registry key, the response looks like this:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
Posting here so people who need this can find it. (Thanks, Oram!)
Related videos on Youtube
Bagus Tesa
service motivation status Error: motivation dead but pid file exists
Updated on September 18, 2022Comments
-
Bagus Tesa over 1 year
I'm trying to remove Microsoft-HTTPAPI/2.0 server header from my HTTP responses following this article form MSDN. Currently I'm applying the registry-based solution on Windows Server 2008 R2 and Windows 10 to no luck. I still receive the headers whenever I send an HTTP request with empty
Host
header.curl -X GET "127.0.0.1" -H "Host:" --head
The command above returns HTTP 400 Bad Request with
Server: Microsoft-HTTPAPI/2.0
.Is there any newer approach to remove the particular header? I know this was asked before for IIS 7 (which probably the solution still works), but reboot doesn't cure the problem on those two Windows I have mentioned above.
Thank you in advance.
ps. I know its kind of security in obscurity, but auditors wants it.
-
Bagus Tesa over 4 yearshi Jeffry McGee, welcome to serverfault. just to let you know that i have tried the windows registry solution to no avail on newer windows. have you tried the thing yourself on windows 10 education and pro? may i know which windows the registry fix tested? i suspect there is something else in play.
-
Jeffry McGee over 4 yearsI have tested this on Windows Server 2016 and Windows Server 2019.
-
Abubakar Riaz over 3 yearsI tried on Windows Server 2012 R2, it does not work
-
Bagus Tesa over 2 yearshi, welcome to serverfault, as I have said and tagged on the question. i cant get it to work on Windows Server 2008 R2. Abubakar Riaz also pointed out that it also doesnt work on Windows Server 2012 R2. I suppose it only work on Windows Server 2016 and above.