X-AspNetMvc-Version
The HTTP X-AspNetMvc-Version response header is an unofficial HTTP header exposing the version of the ASP.NET MVC framework running on the server.
Note
The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.
Usage
The ASP.NET MVC framework adds the X-AspNetMvc-Version header automatically to every response. The value identifies the specific MVC framework version handling the request. This behavior is enabled by default in ASP.NET MVC applications running on IIS.
The header is distinct from
X-AspNet-Version, which identifies the
underlying CLR/.NET Framework version rather than the MVC
framework version. Both headers reveal details about the
server's technology stack. Version information helps
attackers target known vulnerabilities in specific MVC
releases. Removing the header is a common hardening step
for ASP.NET MVC deployments. The header is controlled
programmatically by setting
MvcHandler.DisableMvcResponseHeader = true in
Application_Start. The X-Powered-By and
Server headers carry similar technology
disclosure risks.
Values
MVC version string
The value is an ASP.NET MVC version number in
major.minor format. The version maps directly to the
MVC framework release installed on the server.
Common version strings:
5.2corresponds to ASP.NET MVC 5.2, the most widely deployed version. Ships with Visual Studio 2013+ and remains common on .NET Framework 4.x applications.5.1corresponds to ASP.NET MVC 5.1.4.0corresponds to ASP.NET MVC 4, released alongside .NET Framework 4.5.3.0corresponds to ASP.NET MVC 3, released alongside the Razor view engine.
ASP.NET Core does not send this header. The header appears only on classic ASP.NET MVC applications running on the .NET Framework.
Example
A server running ASP.NET MVC 5.2 returns the most common version string in production. This is the final major release of the classic ASP.NET MVC framework.
X-AspNetMvc-Version: 5.2
An older application running ASP.NET MVC 4 returns a
different version number. The presence of 4.0 indicates
the application has not been upgraded to MVC 5.
X-AspNetMvc-Version: 4.0
A server running ASP.NET MVC 3 returns the version associated with the introduction of the Razor view engine.
X-AspNetMvc-Version: 3.0
Takeaway
The X-AspNetMvc-Version header identifies the ASP.NET MVC framework version on the server. Disabling the header is a standard security hardening practice for ASP.NET MVC deployments to avoid exposing version details.