When I open ASP.NET application in Google Chrome, while inspecting HTML Elements>Network>Headers
In general it shows RequestURL which i want to hide
2. In Response header> X-ASP.NET Version it shows version information. which I want to hide
3. In Request header> Referer it again shows the URL which i want to hide.
If you mean "Orion" in your research result, it is just a platform to do IT management. You don't need to focus on this word.
Now your question is how to remove Response header> X-ASP.NET Version. In case you want to hide more unnecessary HTTP headers in IIS and ASP.NET, you could refer to below steps.
Add this to web.config to get rid of the X-AspNet-Version header:
You can also modify headers at runtime via the Application_PreSendRequestHeaders event in Global.asax.cs. This is useful if your header values are dynamic. However, "X-Powered-By" can only be removed
by setting web.config.
Regarding Request header> Referer, again, you can't do this.
The Request.Headers["Referer"] value is a value sent by the browser on each request. It's up to the browser what value it choose to supply for this value, and there is no means for a web page to send a response that says "for your next request, use this
value for the Referer". And when you do a Request.Redirect, you're sending a response to the browser, telling it to make another request.
Hope helps.
Best regards,
Sean
ASP.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
If your project is not a MVC, then I think you don't need to worry about this default header.
Best regards,
Sean
ASP.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today. Learn more >
Member
68 Points
228 Posts
ASP.NET Security
Apr 05, 2021 09:04 AM|maverick786us|LINK
When I open ASP.NET application in Google Chrome, while inspecting HTML Elements>Network>Headers
2. In Response header> X-ASP.NET Version it shows version information. which I want to hide
3. In Request header> Referer it again shows the URL which i want to hide.
How can I hide these things?
All-Star
53641 Points
24010 Posts
Re: ASP.NET Security
Apr 05, 2021 12:46 PM|mgebhard|LINK
It is not possible to hide header lines in an HTTP message. You can remove the X-ASP.NET header.
The referrer comes from the browser (client). The client can send whatever it wants.
The requested URL is also in the address bar and required to get the resource from the server.
Member
68 Points
228 Posts
Re: ASP.NET Security
Apr 06, 2021 09:21 AM|maverick786us|LINK
What is Orion in this context?
Contributor
3010 Points
886 Posts
Re: ASP.NET Security
Apr 07, 2021 03:04 AM|Sean Fang|LINK
Hi maverick786us,
If you mean "Orion" in your research result, it is just a platform to do IT management. You don't need to focus on this word.
Now your question is how to remove Response header> X-ASP.NET Version. In case you want to hide more unnecessary HTTP headers in IIS and ASP.NET, you could refer to below steps.
web.config
to get rid of theX-AspNet-Version
header:X-Powered-By
is a custom header in IIS. Since IIS 7, you can remove it by adding the following to yourweb.config
:This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders
X-AspNetMvc-Version
, editGlobal.asax.cs
and add the following in theApplication_Start
event:Application_PreSendRequestHeaders
event inGlobal.asax.cs
. This is useful if your header values are dynamic. However, "X-Powered-By" can only be removed by setting web.config.Regarding Request header> Referer, again, you can't do this.
The Request.Headers["Referer"] value is a value sent by the browser on each request. It's up to the browser what value it choose to supply for this value, and there is no means for a web page to send a response that says "for your next request, use this value for the Referer". And when you do a Request.Redirect, you're sending a response to the browser, telling it to make another request.
Hope helps.
Best regards,
Sean
Member
68 Points
228 Posts
Re: ASP.NET Security
Apr 08, 2021 07:56 AM|maverick786us|LINK
Thanks Sean. That application was developed in classic ASP.NET. So DisableMVCResponseHeader might not work with it
Contributor
3010 Points
886 Posts
Re: ASP.NET Security
Apr 09, 2021 07:54 AM|Sean Fang|LINK
Hi maverick786us,
If your project is not a MVC, then I think you don't need to worry about this default header.
Best regards,
Sean