Answered by:
ASP.NET Security

Question
-
User-614943948 posted
When I open ASP.NET application in Google Chrome, while inspecting HTML Elements>Network>Headers
- In general it shows RequestURL which i want to hide
2. In Response header> X-ASP.NET Version it shows version information. which I want to hide
3. In Request header> Referer it again shows the URL which i want to hide.
How can I hide these things?
Monday, April 5, 2021 9:04 AM - In general it shows RequestURL which i want to hide
Answers
-
User-1330468790 posted
Hi maverick786us,
If your project is not a MVC, then I think you don't need to worry about this default header.
Best regards,
Sean
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, April 9, 2021 7:54 AM
All replies
-
User475983607 posted
It is not possible to hide header lines in an HTTP message. You can remove the X-ASP.NET header.
The referrer comes from the browser (client). The client can send whatever it wants.
The requested URL is also in the address bar and required to get the resource from the server.
Monday, April 5, 2021 12:46 PM -
User-614943948 posted
What is Orion in this context?
Tuesday, April 6, 2021 9:21 AM -
User-1330468790 posted
Hi maverick786us,
If you mean "Orion" in your research result, it is just a platform to do IT management. You don't need to focus on this word.
Now your question is how to remove Response header> X-ASP.NET Version. In case you want to hide more unnecessary HTTP headers in IIS and ASP.NET, you could refer to below steps.
- Add this to
web.config
to get rid of theX-AspNet-Version
header:<system.web> <httpRuntime enableVersionHeader="false" /> </system.web>
X-Powered-By
is a custom header in IIS. Since IIS 7, you can remove it by adding the following to yourweb.config
:This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders
<system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer>
- Remove
X-AspNetMvc-Version
, editGlobal.asax.cs
and add the following in theApplication_Start
event:protected void Application_Start() { MvcHandler.DisableMvcResponseHeader = true; }
- You can also modify headers at runtime via the
Application_PreSendRequestHeaders
event inGlobal.asax.cs
. This is useful if your header values are dynamic. However, "X-Powered-By" can only be removed by setting web.config.protected void Application_PreSendRequestHeaders(object source, EventArgs e) { Response.Headers.Remove("foo"); Response.Headers.Add("bar", "quux"); }
Regarding Request header> Referer, again, you can't do this.
The Request.Headers["Referer"] value is a value sent by the browser on each request. It's up to the browser what value it choose to supply for this value, and there is no means for a web page to send a response that says "for your next request, use this value for the Referer". And when you do a Request.Redirect, you're sending a response to the browser, telling it to make another request.
Hope helps.
Best regards,
Sean
Wednesday, April 7, 2021 3:04 AM - Add this to
-
User-614943948 posted
Thanks Sean. That application was developed in classic ASP.NET. So DisableMVCResponseHeader might not work with it
Thursday, April 8, 2021 7:56 AM -
User-1330468790 posted
Hi maverick786us,
If your project is not a MVC, then I think you don't need to worry about this default header.
Best regards,
Sean
- Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
Friday, April 9, 2021 7:54 AM