Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does ASP.NET framework add the 'X-Powered-By:ASP.NET' HTTP Header in responses?

I am just curious to know if there is a specific reason why the .Net Framework adds the 'X-Powered-By:ASP.NET' Http Header in its responses? Do other web servers (Apache, httpd) do the same thing?

EDIT: I know that it can be changed. I want to know if there is a reason to keep it or leave it as it is?

like image 379
Punit Vora Avatar asked Aug 17 '09 14:08

Punit Vora


5 Answers

I know that PHP does this. I guess there is no real purpose, other than marketing and making it easier for script kiddies to find suitable victims. For PHP it's better to disable the flag entirely since it shows the PHP version and therefore makes the server more vulnerable to attacks.

Edit: Who knows, it might also lead to better search results on bing... ;-)

like image 95
Adrian Grigore Avatar answered Oct 01 '22 17:10

Adrian Grigore


It is a default custom header when using IIS. It is a setting in IIS, you can change it if you wish.

Using IIS6 -

  • Click on the HTTP Headers tab
  • You can edit or remove the header in the Custom HTTP Headers box.
like image 35
Dan Avatar answered Oct 01 '22 17:10

Dan


It is probably there so that sites like Netcraft can pull together statistics for the number of servers running IIS and ASP.NET. This used to be considered an important thing when .NET was released. By stating that n number of sites started using ASP.NET Microsoft could provide metrics for companies that only adopt technology based on the number of other users out there.

I don't believe there is a strong technical reason for having it since a PHP app could imitate an ASP.NET application, by setting the same header in Apache. I could imagine some naive client applications like FrontPage 2003, or SharePoint Designer might use headers like this to validate that they are indeed connecting to an ASP.NET enabled site but that is speculation on my part.

like image 32
Brian Lyttle Avatar answered Oct 01 '22 17:10

Brian Lyttle


It is fairly common to see a signature for the server/executing engine sent with the headers of a page whether you're running Apache and PHP or IIS and ASP.NET. Just acts as some free publicity, I suppose.

like image 4
Nathan Taylor Avatar answered Oct 01 '22 16:10

Nathan Taylor


"X-Powered-By:" isn't a standard header, but "Server: " is (and it clearly serves the same purpose).

In a world of SaaS and Cloud services, Web frameworks are 'strategic' assets, and every little piece of real-estate is advidly conquered... sometimes the cheating way.

like image 2
Jerome Avatar answered Oct 01 '22 17:10

Jerome