X-AspNet-Version

The HTTP X-AspNet-Version response header is an unofficial HTTP header exposing the version of the ASP.NET framework running on the server.

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.

Table of Contents

Usage

The ASP.NET runtime adds the X-AspNet-Version header automatically to every response generated by the framework. The value identifies the specific .NET Framework version handling the request. This behavior is enabled by default in ASP.NET applications running on IIS.

The header reveals details about the server's technology stack. Version information helps attackers target known vulnerabilities in specific .NET Framework releases. Removing the header is a common hardening step for ASP.NET deployments. The header is controlled through the enableVersionHeader attribute in the httpRuntime element of web.config. MvcHandler.DisableMvcResponseHeader controls the separate X-AspNetMvc-Version header, not this one. The X-Powered-By and Server headers carry similar technology disclosure risks.

Values

.NET Framework version string

The value is a .NET Framework version number in major.minor.build format. The version maps directly to the CLR (Common Language Runtime) version installed on the server, not the ASP.NET application's target framework.

Common version strings:

  • 4.0.30319 corresponds to .NET Framework 4.0 through 4.8.x. All .NET 4.x releases share this CLR version.
  • 2.0.50727 corresponds to .NET Framework 2.0, 3.0, and 3.5. These frameworks share the CLR 2.0 runtime.
  • 1.1.4322 corresponds to .NET Framework 1.1.

Custom or spoofed values

Some servers replace the real version string with a custom value to obscure the actual framework version. Values like Good Try appear in the wild as deliberate misdirection.

Example

A server running any version of .NET Framework 4.x returns the CLR 4 version string. This is the most common value observed in production.

X-AspNet-Version: 4.0.30319

An older server running .NET Framework 2.0 or 3.5 returns the CLR 2 version string. Both frameworks share the same underlying runtime version.

X-AspNet-Version: 2.0.50727

A server configured to return a custom value instead of the real version number. This approach obscures the actual framework version while keeping the header present.

X-AspNet-Version: Good Try

Takeaway

The X-AspNet-Version header identifies the .NET Framework CLR version on the server. Disabling the header is a standard security hardening practice for ASP.NET deployments to avoid exposing version details.

See also

Last updated: March 6, 2026