My application is showing the Version information using headers

Question

User-190152932 posted

I have a standard C# MVC project it is live and we have an open bug bounty program, a user has mentioned we are showing a Version information leak using headers, as in they can see:

X-AspNet-Version: 4.0.30319

They have said:

"The version of aspnet is leaked. Which will help attacker to find vulnerable CVEs and exploit the vulnerability"

I should be aiming to not show this, I have my site hosted with an external company so my question is how do I not show this to external users? Any know thanks in advance :)

Answer 1

User-1330468790 posted

Hi JessSimms1, 

  

Add this to web.config (In the root of your project) to get rid of the X-AspNet-Version header: 

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

  

Besides, you might be bothered by other unexpected headers:

• X-Powered-By: is a custom header in IIS. Since IIS 7, you can remove it by adding the following to your web.config

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

  This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders

  

Hope this can help you.

Best regards,

Sean

Answer 2

User-190152932 posted

Will close this I think as our site is externally hosted and we aren't able to configure the webservers to solve this anyway, many thanks