ASP.Net Custom Headers

Posted by on April 22, 2010

Have you ever taken the time to look at the headers that are returned from your ASP.Net application? If you have, you may have noticed the following two headers that are added for ASP.Net:

X-Powered-By: ASP.Net
X-AspNet-Version: x.x.xxxx (the version of .Net used for the application)

Many people ask how to remove these two headers from the Response. There are different methods, depending on the version of Internet Information Server (IIS) you are using. I will address these headers individually due to how they are handled.

X-Powered-By
In IIS 6 and earlier, this can only be done through the IIS console. To do this, follow these steps:

Open the IIS Management Console
Open up the web site properties
Click the HTTP Headers tab
Under Custom HTTP Headers click on the header you want to remove, then click the “Remove” button.

In IIS 7 it is possible to remove this header through the web.config file for the application. In the configuration section, add the following elements:

<system.webServer>
  <httpProtocol>
    <customHeaders>
        <remove name=”X-Powered-By” />
    </customeHeaders>
  </httpProtocol>
</system.WebServer>

X-AspNet-Version
This tag can be removed from the web.config file by using the using the <httpRuntime> tag as seen below:

<httpRuntime enableVersionHeader=”false” />

So Why Remove Them?
There are two good reasons for removing these headers. Both reasons are both debatable depending on who you talk to. First, removing these headers can help provide a little added security benefit. I know, I know, a good attacker’s toolkit will do packet inspection to determine this information. Even better yet, most asp.net sites give it away by the file extension. I am not going to argue that fact at all. I would disagree that it creates a false sense of security, that is just an excuse not to do something. The Version information is more important for the security argument. There are differences in the frameworks that make knowing the exact version of asp.net attractive. It is better to just not give it away and let the attacker try to figure it out.

Second, There is a performance gain regarding the amount of data that is transferred to the client. Again, I will not disagree that the 50 or so bytes is a small amount of data. But when you are running an enterprise application with millions of hits a day, that small amount really adds up in bandwidth.

These headers may be important while debugging with Visual Studio, but they are not important or needed for a production system. I am actually astounded by the fight to not remove these headers when it is an hour job at most (if you have to update a web farm with IIS settings). Every application is different and this is just my opinion on these headers. If you want to remove them, this should show you how.

Comments

Comments are closed.