Fix to X-AspNet-Version header description

[baggers27]

Is your feature request related to a problem? Please describe.

On the "Best Practices" --> "Prevent information disclosure via HTTP headers", the X-AspNet-Version header is described as "Contain the version of the ASP .Net framework in use.", however all 4.x .NET Framework versions use the same CLR version number 4.0.30319, so it does not contain exactly the ASP .Net Framework, rather the CLR version (which is typically 4.0.30319). An attacker cannot ascertain the .NET framework in use from this header.

Describe the solution you'd like
Amend the description to accurately reflect the nature of the value contained in the header.

[righettod]

Hi,

Thanks a lot for the notification.

Do you have some references to help us to dig this point and fix the issue?

Thanks in advance 😃

[baggers27]

Try these:

https://learn.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed
https://stackoverflow.com/questions/63097616/does-x-aspnet-version-correlate-to-net-framework-version
https://stackoverflow.com/questions/74890132/clr-4-0-30319-vulnerabilities

[righettod]

Thank you.

[righettod]

📖 Based on the reading of the differentes sources as well as additional searches, I understand that the value returned by the header only allow to identify the major version of .NET CLR in use by the web app based on the beginning of the value (source):

📊 https://webtechsurvey.com/response-header/x-aspnet-version

📊 https://endoflife.date/dotnetfx

💻 So, from this, the only information that can be derived is if the server has an old major version of the .NET framework in use.

🤔 Did I missed something?

[baggers27]

Seems right to me. The greatest issue would be if an application is using an old major version which is then revealed by the header, but the header would still reveal the nature of the application (.NET) even for more recent versions, which could still be argued to be information disclosure. It depends what you think is best said in the description. It could be just changing the description to say "Contain the version of the ASP .Net framework Common Language Runtime (CLR) in use."

[righettod]

I totally agree with you.
I will operate the update via a dedicated PR.
Thanks a lot again for the notification and the feedback.