Mads Kristensen

My personal blog about everything tech

Here we are in that certain part of the year where the sun is beginning to shine and the winter has ended. Officially the winter ended January 31st, but here in Denmark it has been known to snow in May on occasion, but in June it becomes safe to say that the summer is kicking in. All the rain, thunder storms and just plain gray and windy weather are over (almost) and now it’s finally vacation time.

This year I’m heading south, down to the sunny country of Italy. I start in Milano for a few days and then hit the road in an Alfa Romeo 159. Along the route I plan to visit Le Cinque Terre, Pisa, Roma, Firenze, Rimini, Venice, Verona and back to Milano to fly home.

It means that I will not be active on this website until I get back. I really need to be totally offline and just enjoy the freedom of the open road.

While I’m gone, the rest of the BlogEngine.NET team is working very hard on the next release which probably will be released shortly after my return. The 1.1 release will take BlogEngine.NET to a whole new level of performance, stability, security and of course also have many new existing features.

The next posts after my return will – amongst other things – be about unit testing, which I’m very ambivalent about and try to explain why and what I do to unit test applications. This subject was requested by a reader/friend and I just can’t say no to such requests.

Until then, arrivederci.

I’ve always been a little annoyed by the fact that ASP.NET websites sends the version number as a HTTP header. For an ASP.NET 2.0 application this is added automatically to the headers and you cannot remove it from code. This is what it looks like:

X-AspNet-Version => 2.0.50727

Why would it be necessary to send this information about your application to possible hackers? It doesn’t make sense. Maybe it’s because it allows for statistics to be collected about what versions people are using. Microsoft could then send a crawler to investigate all the websites in the Windows Live search database. I don’t have a problem with that; it’s the hackers I fear.

The other auto-injected header X-Powered-By => ASP.NET is fine with me. It’s easy for people to see by the .aspx extension that you run ASP.NET anyway, so this is not a security issue but still a little annoying that you cannot remove it from within your ASP.NET application. You have to remove it from the IIS.

Then the other day I was playing around with the web.config and by accident noticed the httpRuntime tag and its enableVersionHeader attribute. For some reason I’ve never noticed it before. If the enableVersionHeader attribute is set to false, the X-AspNet-Version header will not be sent.

So, to get rid of the X-AspNet-Version HTTP header from the response, just copy this line into the web.config’s <system.web> section:

<httpRuntime enableVersionHeader="false" />

I think if it was such a big deal to get rid of it, I’d probably done some more research and found this trick years ago. Anyway, I just thought I would share it with you.

To check the HTTP headers sent from your own site, you can use one of the many online tools like this one.