The header is generated by the MvcHandler class, responsible for processing MVC requests. When the Application_Start method initializes the routing table, the framework binds the version string (e.g., 5.2 , 4.0 , 3.0 ) from the assembly's AssemblyFileVersionAttribute . This value is appended to the outgoing response collection. Unlike the X-AspNet-Version header (which reports .NET runtime version), X-AspNetMvc-Version is specific to the MVC library.
Response.Headers.Remove("X-AspNetMvc-Version"); x-aspnetmvc-version
<system.webServer> <httpProtocol> <customHeaders> <remove name="X-AspNetMvc-Version" /> </customHeaders> </httpProtocol> </system.webServer> (Note: Method 3 does not always work for MVC-added headers; methods 1 or 2 are preferred.) After removal, a security assessment can confirm absence: The header is generated by the MvcHandler class,
curl -I https://example.com | grep -i X-AspNetMvc Expected output: (none). remove name="X-AspNetMvc-Version" />