Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to set enableVersionHeader to false globally on IIS7

I've got several dozen sites that I wish to lock down running ASP.Net and part of the job is to turn off the bloody headers (saying what version of ASP.Net is running). This involves going to each and every web.config file and setting <httpRuntime enableVersionHeader="false" /> . Is there any way to do this globally? The machine.config(s) , 4 in all, in IIS7 does not support enableVersionHeader="false" in the same httpRuntime tag. Is there a special tag or section for this in the machine.config?

I wanted to add that <deployment retail="true" /> is another recommendation, but attempting to put that in the machine.config (under system.web) results in an error as well. (any ideas?) Right now, I'm just going to put these in the web.configs, but it would be nice if MS would have this PCI mandatory feature inside IIS (a single typo in .config files can take a site or the entire server down - with such a popular request, you'd think they'd put this in the GUI!!!)

like image 731
MC9000 Avatar asked Jul 16 '14 05:07

MC9000


1 Answers

machine.config should have a webServer section and you should be able to set it there.

"You will need to add this configuration setting to each Machine.Config file inside the section.

<system.web>
 <httpRuntime enableVersionHeader="false" />
  .....
</system.web>

"

Reference: here

like image 76
Dexion Avatar answered Oct 05 '22 19:10

Dexion