如何从Azure Web-Apps中删除过多的响应头信息?

时间:2015-04-07 09:14:55

标签: asp.net asp.net-mvc azure azure-web-sites

我有一个我在Azure Web-Apps上部署的MVC项目。我正在尝试删除过多的标头信息。我试图删除此信息的原因是因为它是标准的安全实践。 (Reference

我正在尝试从响应标头中删除以下信息:

Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-POWERED-BY: PHP/5.4.38
X-POWERED-BY: ASP.NET

我在Global.asax.cs文件中有以下代码:

protected void Application_PreSendRequestHeaders()
{
    Response.Headers.Remove("Server");
    Response.Headers.Remove("X-AspNet-Version");
    Response.Headers.Remove("X-AspNetMvc-Version");
}

但它并没有影响结果。

2 个答案:

答案 0 :(得分:13)

请改为尝试:

 protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
     HttpContext.Current.Response.Headers.Remove("Server");
     HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
     HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
 }

此外,在Application_Start中使用以下指令调用它

PreSendRequestHeaders += Application_PreSendRequestHeaders;

要删除X-AspNet-Version,请在web.config中找到/创建并添加:

<system.web>
    <httpRuntime enableVersionHeader="false" />
    ...
</system.web>

要删除X-AspNetMvc-Version,请转到Global.asax,查找/创建Application_Start事件并添加一行,如下所示:

protected void Application_Start() {
    MvcHandler.DisableMvcResponseHeader = true;
}

要删除X-Powered-By,请在web.config中找到/创建并添加:

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    ...
</system.webServer>

您应该能够强制所有请求通过将其添加到您的webconfig来管理您的托管代码:

<modules runAllManagedModulesForAllRequests="true">

即使是静态文件和未找到的资源也应遵守标题规则。

参考文献:

答案 1 :(得分:2)

请勿使用代码删除响应标头。根据{{​​3}}

不稳定

使用Web.config自定义标头部分代替定义的Microsoft

    <system.webServer>          
        <httpProtocol>
        <!-- Security Hardening of HTTP response headers -->
        <customHeaders>
            <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent 
                    Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
            <add name="X-Content-Type-Options" value="nosniff" />

            <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. 
                     By preventing a browser from framing your site you can defend against attacks like clickjacking. 
                     Recommended value "x-frame-options: SAMEORIGIN" -->
            <add name="X-Frame-Options" value="SAMEORIGIN" />

            <!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that 
                     they should only read the master crossdomain.xml file from the root of the website. 
                     https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
            <add name="X-Permitted-Cross-Domain-Policies" value="master-only" />

            <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. 
                     Recommended value "X-XSS-Protection: 1; mode=block". -->
            <add name="X-Xss-Protection" value="1; mode=block" />

            <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. 
                     If you have sensitive information in your URLs, you don't want to forward to other domains 
                     https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
            <add name="Referrer-Policy" value="no-referrer-when-downgrade" />

            <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
            <remove name="X-Powered-By" />

            <!-- Ensure the cache-control is public, some browser won't set expiration without that  -->
            <add name="Cache-Control" value="public" />
        </customHeaders>
    </httpProtocol>

    <!-- Prerequisite for the <rewrite> section
                Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
    <rewrite>
        <!-- Remove Server response headers (OWASP Security Measure) -->
        <outboundRules rewriteBeforeCache="true">
            <rule name="Remove Server header">
                <match serverVariable="RESPONSE_Server" pattern=".+" />

                <!-- Use custom value for the Server info -->
                <action type="Rewrite" value="Your Custom Value Here." />
            </rule>
        </outboundRules>
    </rewrite>
</system.webServer>