views:

183

answers:

5

I have developed a web application in ASP.NET 3.5 and C#. When I deploy the application, people can see the telltale signs that I'm using ASP.NET. How do I make it so that anyone who sees my site won't see that I'm using ASP.NET?

+5  A: 

Because of the nature of ASP.NET, any dynamically built control will show up with $Ctrl. If you use ViewState, that will show up. If you use ASP.NET Event Validation, that will show up.

If you don't want it to show up, all you can do is use another Framework (ASP.NET MVC), or not use any of those features of ASP.NET (Which would be silly if you're using ASP.NET).

If your pages are suffixed with .aspx, then everyone is going to know you're using ASP.NET anyway. Are you using URL Rewriting?

George Stocker
Seems like disabling view state will work for me, in this case I am missing asp.net 4.0, in 3.5 I believe that I have to disable viewstate for the whole page and not for the specific control.Am I correct?
Zerotoinfinite
Yes; you have to disable viewstate for the page. http://www.ironspeed.com/articles/Disable%20View%20State%20for%20a%20Page/Article.aspx
George Stocker
+2  A: 

I would recommend:

  • Using a Url Rewriter to change or removing the page extensions
  • Not using view State.
You might also suggest removing any indication of IIS or .NET from the HTTP headers returned.
Steven Sudit
+1  A: 

Defining telltale signs? Without looking at the source, the only obvious way would be the .ASPX extension.

Looking at the source, you'd need to remove

<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" ...

    <script type="text/javascript">
//<![CDATA[
var theForm = document.forms['aspnetForm'];
if (!theForm) {
    theForm = document.aspnetForm;
}
function __doPostBack(eventTarget, eventArgument) {
    if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
        theForm.__EVENTTARGET.value = eventTarget;
        theForm.__EVENTARGUMENT.value = eventArgument;
        theForm.submit();
    }
}
//]]>
</script>
  • Any references to WebResource.axd or ScriptResource.axd
  • ASP.NET control names (ctl00, etc)
  • Response Headers X-Powered-By and X-AspNet-Version

Can anyone think of others?

Greg
A: 

Your only real choice is to switch to ASP.NET MVC; otherwise, there will be tells somewhere for anyone who really knows ASP.NET, or you'll be limiting the features you use to the extent that there's no benefit in using ASP.NET. Even without ViewState, if you have controls embedded in panels, or use master pages, control IDs will be give-aways. Any MS-specific JavaScript emitted by controls or by the page will be give-aways. Consistent use of a single form per page is pretty much a give-away. Lots and lots of things indicate ASP.NET.

Why is this so important?

Cylon Cat
+1  A: 

You may also want to remove embedded resources. The .axd extenstions in the page source are a give-away.

Edit: Coming to think of it, the hidden fields (ex. __EVENTVALIDATION) are give-aways too...

Srikanth Venugopalan