views:

579

answers:

6

I am just curious to know if there is a specific reason why the .Net Framework adds the 'X-Powered-By:ASP.NET' Http Header in its responses? Do other web servers (Apache, httpd) do the same thing?

EDIT: I know that it can be changed. I want to know if there is a reason to keep it or leave it as it is?

+3  A: 

It is a default custom header when using IIS. It is a setting in IIS, you can change it if you wish.

Using IIS6 -

  • Click on the HTTP Headers tab
  • You can edit or remove the header in the Custom HTTP Headers box.
Dan
How about shared hosting?
dario-g
A: 

If "Why" used in context of "how to change it" - go to IIS properties of your site ant open tab "HTTP Headers" and correct Custom HTTP Header.

Dewfy
+1  A: 

I know that PHP does this. I guess there is no real purpose, other than marketing and making it easier for script kiddies to find suitable victims. For PHP it's better to disable the flag entirely since it shows the PHP version and therefore makes the server more vulnerable to attacks.

Edit: Who knows, it might also lead to better search results on bing... ;-)

Adrian Grigore
So it's a show of confidence ;-)
Tor Haugen
+2  A: 

It is fairly common to see a signature for the server/executing engine sent with the headers of a page whether you're running Apache and PHP or IIS and ASP.NET. Just acts as some free publicity, I suppose.

Nathan Taylor
Publicity is exactly _why_ it's there. Something about search engines and statistics but I don't remember. It would be interesting to figure how much total bandwidth those silly, wasteful little headers consume over, say, a year.
Bob Kaufman
+1  A: 

Tomcat, Apache, WebSphere, JBoss, you name it..

Appearantly, it's not actually a standard HTTP header field.

Tor Haugen
+2  A: 

It is probably there so that sites like Netcraft can pull together statistics for the number of servers running IIS and ASP.NET. This used to be considered an important thing when .NET was released. By stating that n number of sites started using ASP.NET Microsoft could provide metrics for companies that only adopt technology based on the number of other users out there.

I don't believe there is a strong technical reason for having it since a PHP app could imitate an ASP.NET application, by setting the same header in Apache. I could imagine some naive client applications like FrontPage 2003, or SharePoint Designer might use headers like this to validate that they are indeed connecting to an ASP.NET enabled site but that is speculation on my part.

BrianLy