The Server header in the network tab should say Kestrel (or anything other than an IIS version number).
What's the actual result?
An IIS "page not found" error.
The Server header appears, displaying a version number.
Additional details / screenshot
The HTTP response has a content type of text/html, meaning it was generated by IIS instead of the API application (the API returns application/json). Running the request against a local copy of the app (and removing /triallistingsupport/v1 from the path) gets the expected error message.
The path in the request is a doubly url-encoded string, suggesting this is an edge case in the interaction between IIS and Kestrel.
Issue #47 (Remove sensitive IIS headers) attempts to rewrite the Server header. Prior to IIS 10, it is not possible to fully remove it.
Issue description
Appscans continue to report the IIS version number is displayed under certain conditions.
Steps to reproduce the issue
What's the expected result?
"Invalid Route."
Server
header in the network tab should say Kestrel (or anything other than an IIS version number).What's the actual result?
Server
header appears, displaying a version number.Additional details / screenshot
The HTTP response has a content type of
text/html
, meaning it was generated by IIS instead of the API application (the API returnsapplication/json
). Running the request against a local copy of the app (and removing/triallistingsupport/v1
from the path) gets the expected error message.The path in the request is a doubly url-encoded string, suggesting this is an edge case in the interaction between IIS and Kestrel.
Issue #47 (Remove sensitive IIS headers) attempts to rewrite the Server header. Prior to IIS 10, it is not possible to fully remove it.
Related Tickets