Each page in an MVC application I'm working with sets these HTTP headers in requests:
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
How do I prevent these from showing?
views:
39answers:
2
+3
A:
The "powered by" is a custom header in IIS. Changing it depends on the version of IIS you are using. For some information on how to modify or remove, see here:
http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders
To remove the MVC header,
In Global.asax, in the Application Start event:
MvcHandler.DisableMvcResponseHeader = true;
Put this in the web.config get rid of the X-AspNet-Version header:
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
RedFilter
2010-08-05 19:47:12
@RedFilter Even the X-AspNetMvc-Version?
Paul Fryer
2010-08-05 19:47:59
Good point, that is added by MVC. See my update.
RedFilter
2010-08-05 19:48:57
+1 - For interest's sake, 1) Why would you? 2) Does it have any adverse affect?
BritishDeveloper
2010-08-05 21:20:59
You do this for security reasons to obfuscate what technology you use to generate your web pages. This forces hackers to work a little harder.
RedFilter
2010-08-05 21:25:36
@BritishDeveloper This was a recommendation that came out of a security review. I guess its a best practice not to advertise your technology stack, because that helps hackers target specific vulnerabilities with that platform.
Paul Fryer
2010-08-05 21:27:02
@RedFilter Thank you for your quick and detailed answer!
Paul Fryer
2010-08-05 21:28:59
+1
A:
Check out this article Removing Unnecessary HTTP Headers in IIS and ASP.NET , it describes how to remove all your listed headers.
Pavel Morshenyuk
2010-08-05 19:49:51