Was getting this error on a client’s web server while running PCI compliance scans. It came up as a vulnerability on a windows server 2008 box with IIS 7. I was able to confirm this problem by going to:
Entering the URL for testing.
Selecting the HTTP/1.0 (without Host header)
Selecting User Agent: NONE
The submitted the form. The location field on the bottom showed the server (which is behind a load balancer) showed it’s internal IP address which is a security concern. To fix this, we wanted to have IIS not show the IP. This can be done with the following command:
c:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:WHATEVER.COM /commit:apphost Applied configuration changes to section “system.webServer/serverRuntime” for “MACHINE/WEBROOT/APPHOST” at configuration commit path “MACHINE/WEBROOT/APPHOST”
Replace WHATEVER.COM with the value you want displayed.