Remove IIS version number from Server header

[blairlearn]

Issue description

Appscans continue to report the IIS version number is displayed under certain conditions.

ESTIMATE TBD

Steps to reproduce the issue

1. Open the browser's developer tools and switch to the network tab
2. Browse to https://webapis-dev.cancer.gov/triallistingsupport/v1/%2522ns%253D%2522netsparker%25280x042367%2529

What's the expected result?

• A JSON response with the message "Invalid Route."
• The Server header in the network tab should say Kestrel (or anything other than an IIS version number).

What's the actual result?

• An IIS "page not found" error.
• The Server header appears, displaying a version number.

Additional details / screenshot

The HTTP response has a content type of text/html, meaning it was generated by IIS instead of the API application (the API returns application/json). Running the request against a local copy of the app (and removing /triallistingsupport/v1 from the path) gets the expected error message.

The path in the request is a doubly url-encoded string, suggesting this is an edge case in the interaction between IIS and Kestrel.

Issue #47 (Remove sensitive IIS headers) attempts to rewrite the Server header. Prior to IIS 10, it is not possible to fully remove it.

Related Tickets

• Issue #47

[blairlearn]

Requires Windows Server 2019/IIS 10