In order to better hide information from users, I'm trying to remove the Version information section from the standard ASP.NET error screen.
Custom errors are on, but, under certain circumstances, if you manage to get an error outside of your control (server issues perhaps?) then you can get through to the YSOD. I've tried changing the web.config to include the httpruntime setting where you can set enableVersionHeader to false but the version information still comes through.
Also, in the Application_PreSendRequestHeaders method, I've tried to remove "X-AspNet-Version" from the response headers but that header doesn't exist due to the web.config setting.
Is what I want even possible within this context or will that information always exist?
To hide .NET version information from .NET error pages (not generic IIS errors like 403, 404 etc.), use empty element without defaultRedirect attribute:
<configuration>
<system.web>
<customErrors mode="RemoteOnly"/>
</system.web>
</configuration>
Before:
After:
To remove X-AspNet-Version HTTP response header, set the enableVersionHeader to False on httpRuntime element:
<configuration>
<system.web>
<httpRuntime enableVersionHeader="False"/>
</system.web>
</configuration>
In IIS this problem can be resolve changing "HTTP Response Headers" configuration
To remove X-AspNet-Version, in the web.config find/create <system.web>
and add:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start
event and add a line as follows:
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
To remove X-Powered-By, in the web.config find/create <system.webServer>
and add:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
The problem could be that IIS is rendering the error page instead of ASP.NET. Try changing the system.webServer section of your web.config like this:
<system.webServer>
<httpErrors errorMode="Custom" existingResponse="Replace">
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="500" subStatusCode="-1" responseMode="ExecuteURL" path="/500.aspx" />
</httpErrors>
</system.webServer>
Also, check you IIS settings, that's probably where the X-AspNet-Version
header is being set.