Removing Server header from static content in IIS 7/8

Question

As part of an effort to make our API and site more secure, I\'m removing headers that leak information about what the site is running.

Example before stripping headers:<

Answer 1

Unfortunately managed code modules only work for code passing through the ASP.NET pipeline, whilst others have correctly suggested it is possible to force all requests through managed code, I personally feel this is less than desirable.

In order to remove headers from all requests, including static content, which by default is served directly and not through managed code, it is possible to use a Native-Code module. Unfortunately Native-Code modules are a little more difficult to write as they use the win32 APIs rather than ASP.NET, however in my experience they are much more suitable to removing headers.

The following link has binaries and source code for a Native-Code module that can be used to remove headers. It requires no extra configuration to remove the "Server" headers, but other headers to remove can be added in the IIS configuration.

http://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85