Link to home
Start Free TrialLog in
Avatar of divetennis
divetennis

asked on

IIS 7 and above question.

For HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader (REG-DWORD) i realised that on some IIS servers in the registry there is no such entry.

May i find out if this entry is not found in the registry, what is the default?

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Kyle Abrahams, PMP
Kyle Abrahams, PMP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of divetennis
divetennis

ASKER

what if this registry item does not exisit? Is it possible?
Yes.  By default the server sends headers.  There are hidden values that they don't want you to override unless you have a specific reason.  You'll note in the instructions in the url it says to create it and set it to 1.
You can also control the these HTTP Response headers without editing the registry.

I recommend that you use IIS Manager to modify the response readers using the HTTP Response Header feature.  You can modify the headers at the Server level.  The sites on the server will inherit the settings from the server unless they have been overridden at the site level.

Link:  https://technet.microsoft.com/en-us/library/cc771148(v=ws.10).aspx

You can control common headers like HTTP keep-alives and content cache control (content expiration).  You can also set custom headers if necessary or setup other site headers that help in securing your site.  For example:

Content-Security-Policy
Strict-Transport-Security
X-Content-Type-Options
x-frame-options
x-xss-protection

The feature allows you to delete and/or add headers to the server as a whole or you can drill down and modify individual site headers.

** side-note:  I haven't modified the registry of an IIS server to control IIS actions in over 10 years.  I don't recommend it now.  **

Dan