我正在使用的MVC应用程序中的每个页面都在响应中设置这些HTTP标头:
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
如何防止这些显示?
X-Powered-By是IIS中的自定义标头。从IIS 7开始,您可以通过在web.config中添加以下内容来删除它:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
此标题也可以根据您的需要进行修改,有关更多信息,请参阅http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders
将其添加到web.config以摆脱X-AspNet-Version标头:
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
最后,要删除X-AspNetMvc-Version,请编辑Global.asax.cs并在Application_Start事件中添加以下内容:
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
您还可以通过Application_PreSendRequestHeaders中的Global.asax.cs事件在运行时修改标头。如果标头值是动态的,这非常有用:
protected void Application_PreSendRequestHeaders(object source, EventArgs e)
{
Response.Headers.Remove("foo");
Response.Headers.Add("bar", "quux");
}
IIS将X-Powered-By标头添加到HTTP响应中,因此您甚至可以通过IIS管理器在服务器级别删除它:
您可以直接使用web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
检查this blog不要使用代码删除标头。根据Microsoft它是不稳定的
我对此的看法:
<system.webServer>
<httpProtocol>
<!-- Security Hardening of HTTP response headers -->
<customHeaders>
<!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent
Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
By preventing a browser from framing your site you can defend against attacks like clickjacking.
Recommended value "x-frame-options: SAMEORIGIN" -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that
they should only read the master crossdomain.xml file from the root of the website.
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
Recommended value "X-XSS-Protection: 1; mode=block". -->
<add name="X-Xss-Protection" value="1; mode=block" />
<!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
If you have sensitive information in your URLs, you don't want to forward to other domains
https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
<add name="Referrer-Policy" value="no-referrer-when-downgrade" />
<!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
<remove name="X-Powered-By" />
<!-- Ensure the cache-control is public, some browser won't set expiration without that -->
<add name="Cache-Control" value="public" />
</customHeaders>
</httpProtocol>
<!-- Prerequisite for the <rewrite> section
Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
<!-- Remove Server response headers (OWASP Security Measure) -->
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<!-- Use custom value for the Server info -->
<action type="Rewrite" value="Your Custom Value Here." />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
您还可以通过向global.asax文件添加代码来删除它们:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("X-Powered-By");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
HttpContext.Current.Response.Headers.Remove("Server");
}
我在我的web.config中找到了这个配置,这是用于在Visual Studio中创建的New Web Site...(而不是New Project...)。由于问题陈述了一个ASP.NET MVC应用程序,不是相关的,但仍然是一个选项。
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
更新:此外,特洛伊亨特有一篇题为Shhh… don’t let your response headers talk too loudly的文章,其中包含有关删除这些标题的详细步骤以及用于扫描它们和其他安全配置的ASafaWeb工具的链接。
如Cloaking your ASP.NET MVC Web Application on IIS 7中所述,您可以通过将以下配置部分应用于web.config来关闭X-AspNet-Version标头:
<system.web>
<httpRuntime enableVersionHeader="false"/>
</system.web>
并通过更改Global.asax.cs删除X-AspNetMvc-Version标头,如下所示:
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
如Custom Headers 中所述您可以通过将以下配置部分应用于web.config来删除“X-Powered-By”标头:
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
</customHeaders>
</httpProtocol>
</system.webServer>
没有简单的方法可以通过配置删除“服务器”响应标头,但是您可以实现HttpModule来删除特定的HTTP标头,如Cloaking your ASP.NET MVC Web Application on IIS 7和how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7中所述。
.NET核心
要删除Server.cs文件中的Server标头,请添加以下选项:
.UseKestrel(opt => opt.AddServerHeader = false)
对于dot net core 1,put在.UseKestrel()调用中添加选项。对于dot net core 2,在UseStartup()之后添加该行。
要删除X-Powered-By标头,如果部署到IIS,请编辑web.config并在system.webServer标记内添加以下部分:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
.NET 4.5.2
要删除Server标头,请在global.asax文件中添加以下内容:
protected void Application_BeginRequest(object sender, EventArgs e)
{
string[] headers = { "Server", "X-AspNet-Version" };
if (!Response.HeadersWritten)
{
Response.AddOnSendingHeaders((c) =>
{
if (c != null && c.Response != null && c.Response.Headers != null)
{
foreach (string header in headers)
{
if (c.Response.Headers[header] != null)
{
c.Response.Headers.Remove(header);
}
}
}
});
}
}
对于.NET 4.5.2
将以下c#类添加到项目中:
public class RemoveServerHeaderModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += OnPreSendRequestHeaders;
}
public void Dispose() { }
void OnPreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
}
}
然后在你的web.config中添加以下<modules>部分:
<system.webServer>
....
<modules>
<add name="RemoveServerHeaderModule" type="MyNamespace.RemoveServerHeaderModule" />
</modules>
但是我遇到了子项目找不到这个模块的问题。不好玩。
要删除“X-AspNetMvc-Version”标记,对于任何版本的.NET,请修改“web.config”文件以包含:
<system.web>
...
<httpRuntime enableVersionHeader="false" />
...
</system.web>
感谢微软让这难以置信的困难。或者也许这是你的意图,以便你可以跟踪世界各地的IIS和MVC安装......
如Removing standard server headers on Windows Azure Web Sites页面所示,您可以使用以下内容删除标题:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<clear />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering removeServerHeader="true"/>
</security>
</system.webServer>
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
</configuration>
这将删除Server标头和X-header。
这在我的Visual Studio 2015测试中本地工作。
在Asp.Net Core中,您可以编辑web.config文件,如下所示:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
您可以删除Kestrel选项中的服务器标头:
.UseKestrel(c =>
{
// removes the server header
c.AddServerHeader = false;
})
为了完整起见,还有另一种方法可以使用regedit删除Server标头。
在以下注册表项中创建名为DisableServerHeader的DWORD条目,并将值设置为1。
HKLM \系统\ CurrentControlSet \服务\ HTTP \参数
我宁愿使用Web.config找到一个合适的解决方案,但使用<rewrite>并不好,因为它需要安装重写模块,即使这样它也不会真正删除标题,只是清空它。
您可以在Application_EndRequest()中更改任何标题或任何内容
protected void Application_EndRequest()
{
// removing excessive headers. They don't need to see this.
Response.Headers.Remove("header_name");
}