Description
The presence of the X-AspNet-Version
and X-AspNetMvc-Version
headers exposes the version of ASP.NET used by the web server, providing valuable information to attackers. This disclosure can aid attackers in identifying vulnerabilities and planning their attacks more effectively.
Recommendation
To mitigate this issue:
- To remove the
X-AspNet-Version
header, add the following line in yourweb.config
within the<system.web>
section:
<httpRuntime enableVersionHeader="false" />
- To remove the
X-AspNetMvc-Version
header, add the following line inGlobal.asax
:
MvcHandler.DisableMvcResponseHeader = true;