Recent
Articles |
ASP.NET: Don't Use The ThreadPool
I've always been a big fan of using the ThreadPool for asynchronous execution, but in ASP.NET it is not the best approach for multi-threading. I'm not writing about when threading is appropriate and the impact of multi-core...
Top Application Security Vulnerabilities In...
Some of the most common and dangerous application security vulnerabilities that exist in ASP.NET Web-based applications come not from the C# or VB.NET code that make up its pages and service methods, but instead from the XML code that makes up its Web.config files.
BlogEngine.NET 1.0 Officially Released
We released the first version of BlogEngine.NET for anyone to download and use. This is very exciting to me because I've spent many hours during the last couple of months designing and coding in my spare time.
Application Security Vulnerabilities In Web.config Files
These days, the biggest threat to an organization's network security comes from its public Web site and the Web-based applications found there. Unlike internal-only network services such as databases-which can be sealed off from the outside via firewalls-a public Web...
BlogEngine.NET: Events In The File & Image Handlers
In BlogEngine.NET, all files and images that are inserted on a post will be served using an HttpHandler. Actually, they are served by FileHandler and ImageHandler respectively. They are almost identically and...
|
|
 |
|
06.29.07
ASP.NET Security: Remove The X-AspNet-Version Header
 By
Mads Kristensen
I've always been a little annoyed by the fact that ASP.NET websites sends the version number as a HTTP header.
For an ASP.NET 2.0 application this is added automatically to the headers and you cannot remove it from code. This is what it looks like:
X-AspNet-Version => 2.0.50727
Why would it be necessary to send this information about your application to possible hackers? It doesn't make sense.
Maybe it's because it allows for statistics to be collected about what versions people are using. Microsoft could then send a crawler to investigate all the websites in the Windows Live search database.
I don't have a problem with that; it's the hackers I fear.
The other auto-injected header X-Powered-By => ASP.NET is fine with me.
It's easy for people to see by the .aspx extension that you run ASP.NET anyway, so this is not a security issue but still a little annoying that you cannot remove it from within your ASP.NET application. You have to remove it from the IIS.
Then the other day I was playing around with the web.config and by accident noticed the httpRuntime tag and its enableVersionHeader attribute. For some reason I've never noticed it before. If the enableVersionHeader attribute is set to false, the X-AspNet-Version header will not be sent.
So, to get rid of the X-AspNet-Version HTTP header from the response, just copy this line into the web.config's section:
<httpruntime enableversionheader="false">
I think if it was such a big deal to get rid of it, I'd probably done some more research and found this trick years ago. Anyway, I just thought I would share it with you.
To check the HTTP headers sent from your own site, you can use one of the many online tools like this one.
Comments
About the Author:
Mads Kristensen currently works as a Senior Developer at Traceworks located
in Copenhagen, Denmark. Mads graduated from Copenhagen Technical Academy with a multimedia degree in
2003, but has been a professional developer since 2000. His main focus is on ASP.NET but is responsible for Winforms, Windows- and
web services in his daily work as well. A true .NET developer with great passion for the simple solution.
http://www.madskristensen.dk/
|
