locked
ASP.NET Security RRS feed

  • Question

  • User-614943948 posted

    When I open ASP.NET application in Google Chrome, while inspecting HTML Elements>Network>Headers

    1. In general it shows RequestURL which i want to hide
      2. In Response header> X-ASP.NET Version it shows version information. which I want to hide
      3. In Request header> Referer it again shows the URL which i want to hide.

    How can I hide these things?

    Monday, April 5, 2021 9:04 AM

Answers

  • User-1330468790 posted

    Hi maverick786us,

      

    If your project is not a MVC, then I think you don't need to worry about this default header.

      

    Best regards,

    Sean

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, April 9, 2021 7:54 AM

All replies

  • User475983607 posted

    It is not possible to hide header lines in an HTTP message.  You can remove the X-ASP.NET header

    The referrer comes from the browser (client).  The client can send whatever it wants.

    The requested URL is also in the address bar and required to get the resource from the server.  

    Monday, April 5, 2021 12:46 PM
  • User-614943948 posted

    What is Orion in this context?

    Tuesday, April 6, 2021 9:21 AM
  • User-1330468790 posted

    Hi maverick786us,

     

    If you mean "Orion" in your research result, it is just a platform to do IT management. You don't need to focus on this word.

     

    Now your question is how to remove Response header> X-ASP.NET Version. In case you want to hide more unnecessary HTTP headers in IIS and ASP.NET,  you could refer to below steps.

    • Add this to web.config to get rid of the X-AspNet-Version header:
      <system.web>
        <httpRuntime enableVersionHeader="false" />
      </system.web>

    • X-Powered-By is a custom header in IIS. Since IIS 7, you can remove it by adding the following to your web.config:

      This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders

      <system.webServer>
        <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
          </customHeaders>
        </httpProtocol>
      </system.webServer>
    • Remove X-AspNetMvc-Version, edit Global.asax.cs and add the following in the Application_Start event:
      protected void Application_Start()
      {
          MvcHandler.DisableMvcResponseHeader = true;
      }

    • You can also modify headers at runtime via the Application_PreSendRequestHeaders event in Global.asax.cs. This is useful if your header values are dynamic. However, "X-Powered-By" can only be removed by setting web.config.
      protected void Application_PreSendRequestHeaders(object source, EventArgs e)
      {
            Response.Headers.Remove("foo");
            Response.Headers.Add("bar", "quux");
      }

    Regarding Request header> Referer, again, you can't do this.

    The Request.Headers["Referer"] value is a value sent by the browser on each request. It's up to the browser what value it choose to supply for this value, and there is no means for a web page to send a response that says "for your next request, use this value for the Referer". And when you do a Request.Redirect, you're sending a response to the browser, telling it to make another request.

     

    Hope helps.

    Best regards,

    Sean

    Wednesday, April 7, 2021 3:04 AM
  • User-614943948 posted

    Thanks Sean. That application was developed in classic ASP.NET. So DisableMVCResponseHeader might not work with it

    Thursday, April 8, 2021 7:56 AM
  • User-1330468790 posted

    Hi maverick786us,

      

    If your project is not a MVC, then I think you don't need to worry about this default header.

      

    Best regards,

    Sean

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, April 9, 2021 7:54 AM