In IIS7 you have to use an HTTP module. Build the following as a class library in VS:

namespace StrongNamespace.HttpModules
{
  public class CustomHeaderModule : IHttpModule
  { 
    public void Init(HttpApplication context)
    {
      context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    } 

    public void Dispose() { } 

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
      HttpContext.Current.Response.Headers.Set("Server", "Box of Bolts");
    }
  }
}

Then add the following to your web.config, or you configure it within IIS (if you configure within IIS, the assembly must be in the GAC).

<configuration>
  <system.webServer>
    <modules>
      <add name="CustomHeaderModule"
       type="StrongNamespace.HttpModules.CustomHeaderModule" />
    </modules>
  </system.webServer>
</configuration>

Scott Mitchell provides in a blog post solutions for removing unnecessary headers.

As already said here in other answers, for the Server header, there is the http module solution or the UrlScan module. (URLScan module is no more available in IIS7.5+. Use URLRewrite instead for blanking it.)

For X-AspNet-Version and X-AspNetMvc-Version, he provides a better way than removing them on each response: simply not generating them at all.

Use enableVersionHeader for disabling X-AspNet-Version, in web.config

<httpRuntime enableVersionHeader="false" />

Use MvcHandler.DisableMvcResponseHeader in .Net Application_Start event for disabling X-AspNetMvc-Version

MvcHandler.DisableMvcResponseHeader = true;

And finally, remove in IIS configuration the X-Powered-By custom header.

Do not forget that solution by application code does not apply by default to header generated on static content (you may activate the runAllManagedModulesForAllRequests for changing that, but it causes all requests to run .Net pipeline). It is not an issue for X-AspNetMvc-Version since it is not added on static content (at least if static request are not run in .Net pipeline).

Side note: when the aim is to cloak used technology, you should also change standard .Net cookie names (.ASPXAUTH if forms auth activated (use name attribute on forms tag in web.config), ASP.NET_SessionId (use <sessionState cookieName="yourName" /> in web.config under system.web tag), __RequestVerificationToken (change it by code with AntiForgeryConfig.CookieName, but unfortunately does not apply to the hidden input this system generates in the html)).

Actually the coded modules and the Global.asax examples shown above only work for valid requests.

For example, add < on the end of your URL and you will get a "Bad request" page which still exposes the server header. A lot of developers overlook this.

The registry settings shown do not work either. URLScan is the ONLY way to remove the "server" header (at least in IIS 7.5).

I tried all of the stuff here and on several other similar stack overflow threads.

I got hung up for a bit because I forgot to clear my browser cache after making config changes. If you don't do that and the file is in your local cache, it will serve it back to you with the original headers (duh).

I got it mostly working by removing the runAllManagedModulesForAllRequests:

<modules runAllManagedModulesForAllRequests="true">

This removed the extraneous headers from most of the static files but I still was getting the "Server" header on some static files in my WebAPI project in swagger.

I finally found and applied this solution and now all of the unwanted headers are gone:

https://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85

which discusses his code that is here:

https://github.com/Dionach/StripHeaders/releases/tag/v1.0.5

This is a Native-Code module. It is able to remove the Server header, not just blank out the value. By default it removes:

• Server
• X-Powered-By
• X-Aspnet-Version
• Server: Microsoft-HTTPAPI/2.0 -- which would be returned if "the request fails to be passed to IIS"

Add this to your global.asax.cs:

protected void Application_PreSendRequestHeaders()
{
    Response.Headers.Remove("Server");
    Response.Headers.Remove("X-AspNet-Version");
    Response.Headers.Remove("X-AspNetMvc-Version");
}

I had researched this and the URLRewrite method works well. Can't seem to find the change scripted anywhere well. I wrote this compatible with PowerShell v2 and above and tested it on IIS 7.5.

# Add Allowed Server Variable
    Add-WebConfiguration /system.webServer/rewrite/allowedServerVariables -atIndex 0 -value @{name="RESPONSE_SERVER"}
# Rule Name
    $ruleName = "Remove Server Response Header"
# Add outbound IIS Rewrite Rule
    Add-WebConfigurationProperty -pspath "iis:\" -filter "system.webServer/rewrite/outboundrules" -name "." -value @{name=$ruleName; stopProcessing='False'}
#Set Properties of newly created outbound rule 
    Set-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST"  -filter "system.webServer/rewrite/outboundRules/rule[@name='$ruleName']/match" -name "serverVariable" -value "RESPONSE_SERVER"
    Set-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST"  -filter "system.webServer/rewrite/outboundRules/rule[@name='$ruleName']/match" -name "pattern" -value ".*"
    Set-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST"  -filter "system.webServer/rewrite/outboundRules/rule[@name='$ruleName']/action" -name "type" -value "Rewrite"