I’ve always been a little annoyed by the fact that ASP.NET websites sends the version number as a HTTP header. For an ASP.NET 2.0 application this is added automatically to the headers and you cannot remove it from code. This is what it looks like:

X-AspNet-Version => 2.0.50727

Why would it be necessary to send this information about your application to possible hackers? It doesn’t make sense. Maybe it’s because it allows for statistics to be collected about what versions people are using. Microsoft could then send a crawler to investigate all the websites in the Windows Live search database. I don’t have a problem with that; it’s the hackers I fear.

The other auto-injected header X-Powered-By => ASP.NET is fine with me. It’s easy for people to see by the .aspx extension that you run ASP.NET anyway, so this is not a security issue but still a little annoying that you cannot remove it from within your ASP.NET application. You have to remove it from the IIS.

Then the other day I was playing around with the web.config and by accident noticed the httpRuntime tag and its enableVersionHeader attribute. For some reason I’ve never noticed it before. If the enableVersionHeader attribute is set to false, the X-AspNet-Version header will not be sent.

So, to get rid of the X-AspNet-Version HTTP header from the response, just copy this line into the web.config’s <system.web> section:

<httpRuntime enableVersionHeader="false" />

I think if it was such a big deal to get rid of it, I’d probably done some more research and found this trick years ago. Anyway, I just thought I would share it with you.

To check the HTTP headers sent from your own site, you can use one of the many online tools like this one.


Comments are closed