Share via

Remove Server header from Azure Application Gateway

Hasan Shehzeb 40 Reputation points
2025-07-22T09:29:58.9433333+00:00

Hello,

I have an Application Gateway with WAFv2 that sits in front of my App Services. An audit revealed that Server headers are being disclosed as
Server: Microsoft-Azure-Application-Gateway/V2.
Since the IP is directly checked for this recon, I am unable to rewrite the rules to disable this.
Can someone please assist me with disabling this feature? Thank you.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
0 comments
Accepted answer
  1. Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator
    2025-07-23T07:17:40.2233333+00:00

    Hello Hasan Shehzeb ,

    I understand that you’re trying to remove the Server header from your Azure Application Gateway, but it’s not working as expected.

    Rewrites are not available for responses generated directly from the Application Gateway. This feature is currently unsupported and is on our backlog. While there is no estimated timeline yet, we plan to address this limitation soon.

    Rewrites are not supported for 4xx and 5xx status codes, but you can try using rewrites for other types of responses.

    Please check the below screen shot:
    User's image

    Please refer to the following document for more information:

    https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#limitations

    You may also find this Q&A thread helpful: https://learn.microsoft.com/en-us/answers/questions/627494/app-gateway-v2-unable-to-remove-server-response-he

    Also, please check it in the Azure feedback link as well:

    https://feedback.azure.com/d365community/idea/88a5fb41-8010-ee11-a81c-000d3adb7ffd

    Hope the above answer helps! Please let us know do you have any further queries.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 13,330 Reputation points Volunteer Moderator
    2025-07-22T13:58:11.31+00:00

    Hasan Shehzeb hi there and thx for posting urs Q at Q&A portal,

    azure app gateway v2 actually lets u rewrite headers, including the 'server' one. u need to use a rewrite rule set. here's how u do it...

    go to ur app gateway in the portal. under 'settings', find 'rewrites'. add a rewrite rule set. then create a new rule to modify the response header. set 'server' to whatever u want... or just blank it out like this

    action type: 'set'
    header name: 'server'
    header value: ''

    https://docs.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url

    if u ever use nginx or apache, u can kill headers the same way. worth looking into...

    even if u blank the 'server' header, some scanners might still detect the gateway by other means. so maybe add some obfuscation rules or rate limiting to slow down the recon bots.

    security folks love this stuff )) removing headers is like hiding ur fingerprints... but hey, every bit helps, right? let me know if u hit a snag. and thanks again for dropping the question here, its a good one )

    ps: if u wanna go deeper, look at custom waf rules too. they can help mask other sneaky details. microsoft has docs on that as well https://docs.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal

    Best regards,

    Alex

    and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

    https://ctrlaltdel.blog/

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.