Home » How to Change or Remove Response Headers using URL Rewrite in IIS

How to Change or Remove Response Headers using URL Rewrite in IIS

IIS attaches a set of headers like Content-Type and X-Powered-By to the response by default. In addition to these headers, developers can also add custom headers. If you want to change or remove one of these response headers, you can use URL Rewrite rules in IIS Manager.

Change Response Headers using URL Rewrite

Follow the steps below to change the value of a response header. Please note that these steps won’t remove a response header. They will only change the value.

For this post, I changed the value of ETag header. It’s one of the default headers.

Change Response Headers using URL Rewrite

There are two high-level steps:

  • Add a server variable
  • Add a URL Rewrite rule to edit this server variable

Steps to add a server variable

  1. If you haven’t already, install URL Rewrite and reopen IIS Manager
  2. Click on the website
  3. Double click on URL Rewrite
  4. On the right side, click View Server Variables
  5. Click Add
  6. Enter RESPONSE_ETag and click OK
URL Rewrite Server Variables

Steps to add a URL Rewrite rule

  1. In IIS Manager, click on the website
  2. Double click on URL Rewrite
  3. On the right side, click Add Rule(s)
  4. Select Blank rule in Outbound Rules section and click OK
  5. Fill out the fields with the following values
    • Precondition: None
    • Matching scope: Server Variable
    • Variable name: RESPONSE_ETag
    • Variable value: Matches the Pattern
    • Using: Regular Expressions
    • Pattern: .*
    • Ignore case: checked
    • Conditions: none
    • Action type: Rewrite
    • Value: newvalue
    • Replace existing server variable value: checked
  6. On the right side, click Apply
  7. Clear the cache and refresh the page (or hit Ctrl + F5). ETag header should have “newvalue” now

Here is how the Match section of the rule looks like:

Outbound rule Match section

Action section:

Outbound rule Action section

New value:

New ETag value

If you want to change a header to prevent Host Header Attack, check this post out: Solution for Host Header Attack and Vulnerability. Other useful links: Post 1, Post 2

Categories IIS

Leave a Comment