Skip to main content

Web Server version is returned in HTTP response

Article # 3039151 - Page views: 37


After penetration tests, it might be found that the server version is exposed in some HTTP responses.  This could result in an attacker performing some application-specific attacks.




This header is not returned by KTA or even IIS. Windows has an HTTP service that manages calls to IIS and other HTTP enabled services on a windows machine. This HTTP service is what is causing the server header to be returned in the response.

  1. In the registry of the KTA server, go to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  2. Create a DWORD called DisableServerHeader if one does not already exist
  3. Set the value to 1
  4. Reboot the machine



Preventing this header from being returned by the HTTP service can be achieved using the below steps:

This header can be disabled usin


Level of Complexity 



Applies to  

Product Version Build Environment Hardware
KTA ALL      


Remove Unwanted HTTP Responses (


Article # 3039151
  • Was this article helpful?