X-aspnetmvc-version

curl -I https://example.com | grep -i X-AspNetMvc Expected output: (none).

Response.Headers.Remove("X-AspNetMvc-Version"); x-aspnetmvc-version

In the client-server web model, HTTP headers convey metadata about requests and responses. Most production web applications strive to minimize revealing internal infrastructure details. However, default configurations of ASP.NET MVC (versions 3 through 5) implicitly add the X-AspNetMvc-Version header to every HTTP response. This value corresponds directly to the version of the System.Web.Mvc assembly used. curl -I https://example

protected void Application_EndRequest()

<system.webServer> <httpProtocol> <customHeaders> <remove name="X-AspNetMvc-Version" /> </customHeaders> </httpProtocol> </system.webServer> (Note: Method 3 does not always work for MVC-added headers; methods 1 or 2 are preferred.) After removal, a security assessment can confirm absence: In the client-server web model