Wednesday, October 30, 2019

To prevent IIS from showing IP in the Location header of HTTP response


Change web.config of the application to add a hostname to be shown in the Location header:

<system.webServer>
......
    <serverRuntime alternateHostName="myserver" />
......
</system.webserver>

This change may trigger an authentication error complaining about the locked section in the configuration. To fix it, run command:
> %windir%\system32\inetsrv\appcmd unlock config -section:system.webServer/serverRuntime

It unlocks section system.webServer/serverRuntime at configuration path "MACHINE/WEBROOT/APPHOST". What it actually does is changing the following file
        C:\Windows\System32\inetsrv\config\applicationHost.config
by adding
        <serverRuntime />
to the "Allow" sections:
<location path="" overrideMode="Allow">
    <system.webServer>
    ......
        <serverRuntime />
    </system.webServer>
</location>

However, "myserver" is only returned in the Location header when the request does not contain the Host header. If the request headers include the Host, the value of the Host header will be returned in the Location header.

No comments:

 
Get This <