Use HTACCESS to Remove SERVER_SOFTWARE from ServerVariables

Question

I am trying to remove SERVER_SOFTWARE from ServerVariables for security / PCI Compliance. We are running IIS 8.5 on Win Server 2012 R2 Standard.

I saw this, but it is modifying web.config. Host header (SERVER:) and URL Rewrite

I tried using "Header unset SOFTWARE" but i dont think it's being called correctly and I cannot figure out the correct setup. We are using Helicon ISAPI_Rewrite version 3.1.

Can this be done via HTACCESS?

I also tried doing the URL_REWRITE per here: https://port135.com/change-remove-response-headers/ I added the RESPONSE_Server variable, but it's still showing SERVER_SOFTWARE = Microsoft-IIS/8.5

Thanks.

Answer 1

Looks like I fixed this. For anyone that finds this, I just removed everything and put it back in place manually in web.config as the FIRST item inside the system.webServer - it did NOT work using URL Rewrite. Note - i was trying to replace with "0", but that could have been part of the issue as well, not sure. This EXACT web.config text worked:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <outboundRules rewriteBeforeCache="true">
                <rule name="Remove Server header">
                    <match serverVariable="RESPONSE_Server" pattern=".+" />
                    <action type="Rewrite" value="" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>