How to Remove Microsoft-HTTPAPI/2.0 Header on IIS 8 and 10

最新推荐文章于 2022-12-09 17:40:39 发布
最新推荐文章于 2022-12-09 17:40:39 发布
阅读量716 收藏
点赞数
分类专栏: windows 文章标签: microsoft
原文链接:https://serverfault.com/questions/941585/how-to-remove-microsoft-httpapi-2-0-header-on-iis-8-and-10
版权

How to Remove Microsoft-HTTPAPI/2.0 Header on IIS 8 and 10
原文链接:https://serverfault.com/questions/941585/how-to-remove-microsoft-httpapi-2-0-header-on-iis-8-and-10
1

I’m trying to remove Microsoft-HTTPAPI/2.0 server header from my HTTP responses following this article form MSDN. Currently I’m applying the registry-based solution on Windows Server 2008 R2 and Windows 10 to no luck. I still receive the headers whenever I send an HTTP request with empty Host header.

curl -X GET “127.0.0.1” -H “Host:” --head
The command above returns HTTP 400 Bad Request with Server: Microsoft-HTTPAPI/2.0.

Is there any newer approach to remove the particular header? I know this was asked before for IIS 7 (which probably the solution still works), but reboot doesn’t cure the problem on those two Windows I have mentioned above.

Thank you in advance.

ps. I know its kind of security in obscurity, but auditors wants it.

Asked 3 years, 1 month ago
Active 2 months ago
Viewed 7k times

1

I’m trying to remove Microsoft-HTTPAPI/2.0 server header from my HTTP responses following this article form MSDN. Currently I’m applying the registry-based solution on Windows Server 2008 R2 and Windows 10 to no luck. I still receive the headers whenever I send an HTTP request with empty Host header.

curl -X GET “127.0.0.1” -H “Host:” --head
The command above returns HTTP 400 Bad Request with Server: Microsoft-HTTPAPI/2.0.

Is there any newer approach to remove the particular header? I know this was asked before for IIS 7 (which probably the solution still works), but reboot doesn’t cure the problem on those two Windows I have mentioned above.

Thank you in advance.

ps. I know its kind of security in obscurity, but auditors wants it.

windows-server-2008-r2
iis
windows-10
iis-8
Share
Improve this question
Follow
asked Nov 26 '18 at 1:26

Bagus Tesa
11311 silver badge77 bronze badges
Add a comment
2 Answers

3

If the response’s Server header returns “Microsoft-HttpApi/2.0”, it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).

You can test this by throwing an error using CURL:

curl -v http://www.yourdomain.com/ -H “Range: bytes=00-18446744073709551615”
You will see something like this if your server is sending the header:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
You can add a registry value so HTTP.sys doesn’t include the header.

Open Regedit
Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
If DisableServerHeader doesn’t exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn’t 2, set it to 2.
Reboot the server OR restart the HTTP service by calling “net stop http” then “net start http”
Reference: WS/WCF: Remove Server Header

After you add the registry key, the response looks like this:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
Posting here so people who need this can find it. (Thanks, Oram!)

沉淀的流星
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
DataGrid---ASP.NET-MVC---How-to-configure-routing-based-on-Http-Verb-attributes-to-support-CRUD
05-22
DataGrid-ASP.NET MVC-如何基于Http [Verb]属性配置路由以支持CRUD操作 本示例演示如何基于Http [Verb]属性配置路由以支持DataGrid中的CRUD操作。 将Controller,LoadAction,UpdateAction,InsertAction和DeleteAction选项设置为true,以便dxDataGrid的数据源可以访问控制器中的相应动作。 . DataSource ( d => d . WebApi () . Controller ( " DataGridEmployees " ) . LoadAction ( true ) . UpdateAction ( true ) . InsertAction ( true ) . DeleteAction
Java9 HTTP2.0 API入门与实践
热门推荐
Lovnx
09-23 1万+
简述如果您需要使用Java语言来请求HTTP资源,那么你可能会遇到多种解决方案,你最终可能会以一种合理的方式来达成这个目的 —– 引用第三方包。好消息,好消息,黄鹤带着小姨子回来了,皮革厂有救了:Java9除了有模块化特性之外,还附带了一个全新的HTTP客户端API。不仅支持HTTP2.0,还提供了一套有亲和力的API。SO,让我们来剥掉小姨子神秘的蕾丝面纱。HTTP2.0是啥子东东?HTTP2.0
80端口被Microsoft-HTTPAPI/2.0占用
weixin_34268310的博客
03-15 537
2019独角兽企业重金招聘Python工程师标准>>> ...
microsoft-HTTPAPI占用80端口,导致APACHE,WAMP,PHPNOW无法启动解决方法
刻苦与奋斗
07-08 2821
由于安装SQL SERVER导致,关闭 SQL SERVER的 SQL SERVER Reporting Service即可
80端口被Microsoft-HTTPAPI/2.0占用的解决办法
weixin_34122548的博客
03-03 461
为什么80%的码农都做不了架构师?>>> ...
中间件版本信息泄露:Microsoft-HTTPAPI/2.0
ilqgffvramusm2864的博客
12-01 2955
中间件版本泄露、隐藏版本号、Microsoft-HTTPAPI 版本泄露 、IIS版本泄露
Hack The Box 系列域渗透之靶机Cascade
FreeBuf_的博客
12-09 754
本小白最近在学域渗透,决定把Hack The Box的Active Directory 101 系列域渗透靶机打完,并详细记录当中用到的工具、知识点及其背后的原理。本篇文章是该系列的第八篇,靶机名字为Cascade。
【Hack The Box】windows练习-- acute
人间体佐菲的博客
11-18 391
【Hack The Box】windows练习-- acute
端口80被Microsoft-HTTPAPI/2.0占用的解决办法
jimjayce的专栏
09-23 849
在使用Wamp时发现端口80被占用,
IIS去除无用的HTTP响应头
Mr_ZTQ
03-12 1605
IIS去除无用的HTTP响应头最开始的做法遇到的问题解决方案 最开始的做法 修改Web.config配置文件去除X-AspNet-Version、X-Powered-By <system.web> <!--关闭ASP.Net版本号--> <httpRuntime enableVersionHeader="false"/> </system.web> <system.webServer> <httpProtocol&
ews-java-api-2.0
11-29
EWS java API 里面包含 Java调用EWS 接口所需要的所有jar包如: commons-logging-1.2.jar joda-time-2.8.jar commons-lang3-3.4.jar httpclient-4.4.1.jar httpcore-4.4.1.jar
DMA-API-HOWTO使用方法1
08-04
DMA-API-HOWTO使用方法1 DMA-API-HOWTO是一份指导设备驱动程序编写者如何使用DMA API的指南,旨在帮助驱动程序编写者了解如何正确地使用DMA API,以便在设备驱动程序中实现动态DMA映射。下面是对DMA-API-HOWTO的...
JSN-SR04T-2.0(超声波材料)_SR04T_thecode_jsn-sr04t_
10-03
the file shows how to use JSN-SR04T and the source code
how-to-call-api-in-nodejs::red_question_mark:如何在Node.js中进行API调用
05-27
:red_question_mark: 如何在Node.js中调用API 文章(印尼语) 装置 # Install pnpm $ npm i -g pnpm # Install dependencies $ pnpm i 1.本机Node.js 测试API调用: $ pnpm run call:1 2.节点获取 测试API调用:...
javafx-scene-builder2.0.zip
03-07
Please consult the OpenJFX Wiki for instructions describing how to download and build its source code. Please note that the source code for this application can be found in the "apps/scenebuilder" ...
非RESTful的微软REST API指南
啊啊啊啊2
07-03 196
微软发布了创建“RESTful” API的指南。Roy Fielding将这些与REST没有多大关系的API称为HTTP API。\u0026#xD;\n\u0026#xD;\n许多组织都发布了创建面向Web的HTTP API的建议,甚至是白宫都发布了一份标准——“白宫Web API标准”。近日,微软公开了他们的“微软REST API指南2.3”,这是一份全面而成熟的规范。该规范被制定出来,主要是...
win7下WAMP 80端口被Microsoft-HTTPAPI/2.0占用的解决
薛瑄的博客
09-17 2302
问题如下: 网上有关于这个处理办法,说道: VS2010在更新了SP1后,会在开机时自动启动一个服务,占用WAMP的80端口,导致WAMP无法正常启动Apache。提示信息: Your port 80 is actually used by : Server: Microsoft-HTTPAPI/2.0 Press Enter to e
Apache服务无法开启 解决方法(80端口被占用, 解决80端口被Microsoft-HTTPAPI/2.0占用的方法)
ZHM977863924的专栏
01-08 4938
无论是单独安装Apache还是安装Wamp.都可能遇到Apache服务无法开启。最大的可能是它所使用的80端口被其他进程占用。iis以及迅雷都是使用80端口的。关闭这些进程一般就可以启动Apache服务了。如果还是不行。那就测试一下80端口的占用情况。很可能出现的情况是:80端口被Microsoft-HTTPAPI/2.0占用。下面介绍了解决这种情况的方法。 方法一: VS2010在更
使用OWIN自托管ASP.NET Web API
carcarrot的博客
09-03 883
本例为官方教程Use OWIN to Self-Host ASP.NET Web API​​​​​​​
Access-Control-Allow-Origin' header is present on the requested resource.
最新发布
09-02
The error message "Access-Control-Allow-Origin' header is present on the requested resource" usually occurs when a web page or a web API tries to make a cross-origin request but doesn't have the appropriate CORS (Cross-Origin Resource Sharing) headers set up. CORS is a security mechanism implemented in browsers to restrict cross-origin requests, meaning requests made from one domain to another. Browsers enforce this mechanism by checking for the presence of specific headers in the server's response. To resolve this issue, the server hosting the requested resource needs to include the "Access-Control-Allow-Origin" header in its response. This header specifies which origins are allowed to access the resource. For example, if you want to allow all origins, you can set the value to "*". You can also specify a specific origin or a list of origins. Here's an example of how to set the "Access-Control-Allow-Origin" header in different programming languages: In Node.js with Express: ```javascript app.use(function(req, res, next) { res.header("Access-Control-Allow-Origin", "*"); next(); }); ``` In PHP: ```php header("Access-Control-Allow-Origin: *"); ``` In Python with Flask: ```python from flask import Flask from flask_cors import CORS app = Flask(__name__) CORS(app) ``` Make sure to include the appropriate code based on your server-side technology. By setting the correct headers, you should be able to resolve the "Access-Control-Allow-Origin" error.

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值