Information disclosure: ASP.NET/IIS versions are included in the server response

Avatar

Anna Verner

  • Edited

Question

Web server response header contains information about various technologies used by the web server and information about the ASP.NET version. Can this be fixed?

Answer

This can be fixed by using a correct IIS configuration.

Apart from HTTP headers that are essential for improving the security of your web server, there are also headers that are optional.
By default, both X-Powered-By and X-AspNet-Version are included in server responses. We recommend that you disable these headers since providing identifying information can pose a security threat.

To remove the X-Powered-By (HTTP header that contains information about various technologies used by the web server) header from the IIS configuration, paste the following code into the web.config file:

<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />  
</customHeaders></httpProtocol>

To remove the X-AspNet-Version (HTTP header that contains information about the ASP.NET version) header from IIS configuration, paste the following code into the web.config file:

<httpRuntime enableVersionHeader="false" />

Additional information

Securing IIS server

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.