Friday, June 10, 2011

Securing Asp.net applications by hidding response header

Although it’s fairly obvious that a website is running asp.net (through session cookie and the viewstate) you may protect your server by removing a few response headers that advertise the iis and the asp.net version. The most common response headers you should remove are the following:
  • X-Powered-By:ASP.NET
  • X-AspNet-Version:*.*.*
  • Server:Microsoft-IIS/*.*