I analyzed the response header of an application today. I wonder why or for what purpose the following definitions are useful:
server: Microsoft-IIS/10.0
x-aspnet-version: 4.0.30319
x-aspnetmvc-version: 5.2
x-powered-by: ASP.NET
I suppose there's a special reason why this is sent by default? I know you can turn it off.
My guess it's done by framework developers mostly for "advertisment" purposes. See for example this issue for Kestrel framework (often used by asp.net core). The reasoning for adding "Server" header in that issue is:
This is required by TechEmpower benchmarks.
Developers want their framework listed in popular web framework benchmarking website so they added Server header. There are also certain sites that measure popularity of web frameworks based on such headers. Without "X-Powered-By" header those sites won't know you are using ASP.NET, so it will look like no one in the world uses ASP.NET, which might affect its popularity (you see that no one uses it - so you are not going to start using it yourself). If nginx were not adding Server header - it won't be the most popular web server in the world (or rather - you won't know if it is). With version header one might gather statistics about how fast users switch to certain versions of popular frameworks.
As you see - those headers have value mostly for framework developers and global statistics, and because they also introduce minor information leakage - you should just remove them from your application, because safety of your application should have bigger value (for you) than advertisment goals of framework developers.
