Our security team would like our .NET 2.0 website to appear generic to the user, not indicating any particular architecture. "ReturnURL" indicates an ASP.NET website. (Hiding .ASPX in the address bar is a related request.)
I have already figured out how to hide response headers. Not sure how to hide the things I mentioned above. Is it possible? Do I need to redesign the site?
Thanks for any advice.
On
Are you using owin? if you do, you can remove returnUrl, but there is nothing about security on that
//Account/Login
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
//
// POST: /Account/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
//your code
//...
//...
}
I don't think you can change much in 2.0. Later versions have a thing called 'Friendly URLs' that make urls look like mvc urls, with no file extension. As others have said, changing these things won't really help with security.