"Prevent information disclosure via HTTP headers", the X-AspNet-Version header is described as "Contain th...">

Fix to X-AspNet-Version header description · Issue #215 · OWASP/www-project-secure-headers (original) (raw)

Is your feature request related to a problem? Please describe.

On the "Best Practices" --> "Prevent information disclosure via HTTP headers", the X-AspNet-Version header is described as "Contain the version of the ASP .Net framework in use.", however all 4.x .NET Framework versions use the same CLR version number 4.0.30319, so it does not contain exactly the ASP .Net Framework, rather the CLR version (which is typically 4.0.30319). An attacker cannot ascertain the .NET framework in use from this header.

Describe the solution you'd like
Amend the description to accurately reflect the nature of the value contained in the header.