U4-7503 - X-AspNet-Mvc-Version header is returned

Created by James Coxhead 08 Dec 2015, 14:03:39 Updated by Sebastiaan Janssen 05 Jan 2016, 09:43:48

I've got a couple of sites running 7.3.1 and 7.3.3 which are returning the X-AspNetMvc-Version HTTP header. I haven't seen this on any of my pre-7.3 sites, so I'm assuming it was introduced with the switch to MVC 5.

Obviously it's good practice to turn off these headers. If this is an issue, I've got a pull request lined up; otherwise I'll hold off.


Sebastiaan Janssen 08 Dec 2015, 14:12:13

Yes, please! Does it also remove Server: IIS? :)

Sebastiaan Janssen 08 Dec 2015, 14:14:59

Weirdly enough, it should be sufficient to add: <system.web> </system.web> (http://stackoverflow.com/a/3418574/5018)

This is what we ship with, but that's apparently not enough sometimes.

Would be great if all these were removed: HttpContext.Current.Response.Headers.Remove("X-Powered-By"); HttpContext.Current.Response.Headers.Remove("X-AspNet-Version"); HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version"); HttpContext.Current.Response.Headers.Remove("Server");

James Coxhead 08 Dec 2015, 14:30:52

Server is removed at IIS level I believe, and it looks like X-Powered-By and X-AspNet-Version are already removed. PR will be with you this afternoon :)

Sebastiaan Janssen 08 Dec 2015, 14:41:28

I would still want to remove all of these on the application level so that the server can't override these setting in their hosting config. Some hosting providers are just REALLY proud that they're running IIS.. :)

This post seems to cover all of them, just don't set the server name to something random, remove it instead: http://r2d2.cc/2011/10/21/how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7/

Sebastiaan Janssen 08 Dec 2015, 14:43:15

For the server header: there's probably somewhere in Umbraco.Web.UmbracoModule where you can add this. And for the others I'd have a look in Umbraco.Web.UmbracoApplication(Base?).

James Coxhead 08 Dec 2015, 15:12:12

I've added the line for removing the MVC version header to the WebBootManager class, but on second thoughts the StartApplication method in the UmbracoApplicationBase class may be a better place for it.

Haven't had a chance to look at the other headers yet, I'll have a look at those this evening.

edit: Just had a look at the InitMehtod in UmbracoModule and httpContext.Response.Headers.Remove("Server"); is already in there.

Sebastiaan Janssen 08 Dec 2015, 15:27:48

Cool, I see now, and the code comment is true:

//this doesn't normally work since IIS sets it but we'll keep it here anyways. It indeed does not work (for one of my sites) ;-)

James Coxhead 08 Dec 2015, 21:53:31

PR submitted: https://github.com/umbraco/Umbraco-CMS/pull/942

I settled on disabling it in the WebBootManager, but if you think it would be better in UmbracoApplicationBase let me know and I'll refactor.

I've also removed the X-AspNet-Version and X-AspNetMvc-Version headers from the response headers collection which seems to work.

Sebastiaan Janssen 15 Dec 2015, 10:25:34

Thanks James! All merged in!

Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal


Backwards Compatible: True

Fix Submitted: Pull request

Affected versions: 7.3.1, 7.3.3

Due in version: 7.4.0, 7.3.5

Sprint: Sprint 5

Story Points: