About ASP.NET 1.1 telling a little bit too much
Sure, we all love ASP.NET 1.1. Scott, Rob, and team really rock! But have you ever looked at what HTTP headers ASP.NET returns? Well, I will show you:
[...]
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
[...]
Oops! In my opinion this is just a little bit too much - just think about some nice and neat attacks based on this information. Now the ASP.NET related expert would answer: "He guy, this is no problem. There is a switch for configuring the HTTP runtime in machine.config! Just use the appropriate attribute to turn this off.". OK, here is the attribute switch:
enableVersionHeader="[true|false]" -
outputs X-AspNet-Version header with each request
But again, this will only eliminate X-AspNet-Version, X-Powered-By still remains. To make a long story short: Christoph Wille found some time (I kindly asked him :-)) to write a small IIS ISAPI filter which kills this last header. Take it and have fun - freedom and peace for everyone ...