Prevent the IIS version number disclosure
The disclosure of the IIS version in the HTTP header can allow conclusions to be drawn on the used Windows Server version. That's why we recommend to prevent the disclosure of the version. Therefore, complete the following entry (marked in red) in the website main folder of the web.config or create the respective file, if it does not exist yet:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="Microsoft-IIS" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
Prevent X-Powered-By ih the HTTP header
The disclosure of X-Powered-By: ASP.NET in the header can be prevented by completing the web.config as follows:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
