We have moved to GitHub Issues
Created by James Coxhead 08 Dec 2015, 14:03:39 Updated by Sebastiaan Janssen 05 Jan 2016, 09:43:48
I've got a couple of sites running 7.3.1 and 7.3.3 which are returning the X-AspNetMvc-Version HTTP header. I haven't seen this on any of my pre-7.3 sites, so I'm assuming it was introduced with the switch to MVC 5.
Obviously it's good practice to turn off these headers. If this is an issue, I've got a pull request lined up; otherwise I'll hold off.
Yes, please! Does it also remove Server: IIS? :)
Weirdly enough, it should be sufficient to add:
This is what we ship with, but that's apparently not enough sometimes.
Would be great if all these were removed: HttpContext.Current.Response.Headers.Remove("X-Powered-By"); HttpContext.Current.Response.Headers.Remove("X-AspNet-Version"); HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version"); HttpContext.Current.Response.Headers.Remove("Server");
Server is removed at IIS level I believe, and it looks like X-Powered-By and X-AspNet-Version are already removed. PR will be with you this afternoon :)
I would still want to remove all of these on the application level so that the server can't override these setting in their hosting config. Some hosting providers are just REALLY proud that they're running IIS.. :)
This post seems to cover all of them, just don't set the server name to something random, remove it instead: http://r2d2.cc/2011/10/21/how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7/
For the server header: there's probably somewhere in Umbraco.Web.UmbracoModule where you can add this. And for the others I'd have a look in Umbraco.Web.UmbracoApplication(Base?).
I've added the line for removing the MVC version header to the WebBootManager class, but on second thoughts the StartApplication method in the UmbracoApplicationBase class may be a better place for it.
Haven't had a chance to look at the other headers yet, I'll have a look at those this evening.
edit: Just had a look at the InitMehtod in UmbracoModule and
httpContext.Response.Headers.Remove("Server"); is already in there.
Cool, I see now, and the code comment is true:
//this doesn't normally work since IIS sets it but we'll keep it here anyways. It indeed does not work (for one of my sites) ;-)
PR submitted: https://github.com/umbraco/Umbraco-CMS/pull/942
I settled on disabling it in the WebBootManager, but if you think it would be better in UmbracoApplicationBase let me know and I'll refactor.
I've also removed the X-AspNet-Version and X-AspNetMvc-Version headers from the response headers collection which seems to work.
Thanks James! All merged in!
Backwards Compatible: True
Fix Submitted: Pull request
Affected versions: 7.3.1, 7.3.3
Due in version: 7.4.0, 7.3.5
Sprint: Sprint 5