Removing HTTP response headers for public/internet facing SharePoint sites
One of the first recommendation from any security engineer would be remove the unwanted HTTP response headers including your SharePoint headers like MicrosoftSharePointTeamServices, X-SharePointHealthScore etc.
On a typical SharePoint site the response headers would be as below.
Cache-Control:no-cache, no-store, must-revalidate
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:63955
Content-Type:text/html; charset=utf-8
Date:Tue, 25 Aug 2015 06:38:25 GMT
Expires:-1
MicrosoftSharePointTeamServices:14.0.0.6108
Pragma:no-cache
Server:Microsoft-IIS/7.5
SPRequestGuid:e3cad3b6-64a8-43f0-925d-81ef1ae50529
Vary:Accept-Encoding
X-AspNet-Version:2.0.50727
x-frame-options:SAMEORIGIN
X-Powered-By:FE3
X-SharePointHealthScore:0
Firstly, lets talk about HTTP header “MicrosoftSharePointTeamServices”. The HTTP header “MicrosoftSharePointTeamServices” is added to IIS “HTTP Response Headers” by SharePoint during web application provisioning. It is used by SharePoint search engine during crawl so that sites will be considered and crawled as SharePoint site.
Impact of removing MicrosoftSharePointTeamServices Header :
If this header is removed, it will cause search related issues. Refer this KB article which mentions the impact of removing this header. It is mandatory for search service to crawl SharePoint site because this header is the indication to the search service application that this is a SharePoint site along with its version. Besides, the “MicrosoftSharePointTeamServices” is also used for Client Integration feature, Disabling the “Enable Client Integration” option on the “Manage web applications” page on Central Administration will remove it from the HTTP Response Header for the corresponding IIS Web Site. Removing this header will impact the Office Integration with SharePoint.
For example, InfoPath forms.
Also you would not be able to open this site using SharePoint Designer when this header is removed.
Just in case you are not using SharePoint designer feature and any client Integration features but need just search to work for your site. You can consider doing the below steps.
- Extend the current web application with two zones. One zone internet facing and other one internal(default zone)
- On the internet zone, disable “Enable Client Integration” to remove the HTTP Response Header “MicrosoftSharePointTeamServices”.
- Replace start address in content source with default zone URL and do full crawl again as SharePoint search service always needs to crawl default zone.
- For SharePoint Designer, you can edit and make changes with default zone only.
- For Office Integration feature with SharePoint like InfoPath form, only default zone will work.
Note: It is not recommended removing the HTTP Response Header “MicrosoftSharePointTeamServices” on IIS Web Site manually as it is critical to let other SharePoint components know this is an SharePoint site along with its exact version. Instead follow the above steps to enable search to crawl on default internal zone.