I've got several dozen sites that I wish to lock down running ASP.Net and part of the job is to turn off the bloody headers (saying what version of ASP.Net is running). This involves going to each and every web.config file and setting <httpRuntime enableVersionHeader="false" />
.
Is there any way to do this globally? The machine.config(s) , 4 in all, in IIS7 does not support enableVersionHeader="false"
in the same httpRuntime tag.
Is there a special tag or section for this in the machine.config?
I wanted to add that <deployment retail="true" />
is another recommendation, but attempting to put that in the machine.config (under system.web) results in an error as well. (any ideas?)
Right now, I'm just going to put these in the web.configs, but it would be nice if MS would have this PCI mandatory feature inside IIS (a single typo in .config files can take a site or the entire server down - with such a popular request, you'd think they'd put this in the GUI!!!)
machine.config should have a webServer section and you should be able to set it there.
"You will need to add this configuration setting to each Machine.Config file inside the section.
<system.web>
<httpRuntime enableVersionHeader="false" />
.....
</system.web>
"
Reference: here
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With