我有一个我在Azure Web-Apps上部署的MVC项目。我正在尝试删除过多的标头信息。我试图删除此信息的原因是因为它是标准的安全实践。 (Reference)
我正在尝试从响应标头中删除以下信息:
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-POWERED-BY: PHP/5.4.38
X-POWERED-BY: ASP.NET
我在Global.asax.cs文件中有以下代码:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
但它并没有影响结果。
答案 0 :(得分:13)
请改为尝试:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}
此外,在Application_Start中使用以下指令调用它
PreSendRequestHeaders += Application_PreSendRequestHeaders;
要删除X-AspNet-Version,请在web.config中找到/创建并添加:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
</system.web>
要删除X-AspNetMvc-Version,请转到Global.asax,查找/创建Application_Start事件并添加一行,如下所示:
protected void Application_Start() {
MvcHandler.DisableMvcResponseHeader = true;
}
要删除X-Powered-By,请在web.config中找到/创建并添加:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
您应该能够强制所有请求通过将其添加到您的webconfig来管理您的托管代码:
<modules runAllManagedModulesForAllRequests="true">
即使是静态文件和未找到的资源也应遵守标题规则。
答案 1 :(得分:2)
请勿使用代码删除响应标头。根据{{3}}
不稳定使用Web.config自定义标头部分代替定义的Microsoft:
<system.webServer>
<httpProtocol>
<!-- Security Hardening of HTTP response headers -->
<customHeaders>
<!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent
Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
By preventing a browser from framing your site you can defend against attacks like clickjacking.
Recommended value "x-frame-options: SAMEORIGIN" -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that
they should only read the master crossdomain.xml file from the root of the website.
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
Recommended value "X-XSS-Protection: 1; mode=block". -->
<add name="X-Xss-Protection" value="1; mode=block" />
<!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
If you have sensitive information in your URLs, you don't want to forward to other domains
https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
<add name="Referrer-Policy" value="no-referrer-when-downgrade" />
<!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
<remove name="X-Powered-By" />
<!-- Ensure the cache-control is public, some browser won't set expiration without that -->
<add name="Cache-Control" value="public" />
</customHeaders>
</httpProtocol>
<!-- Prerequisite for the <rewrite> section
Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
<!-- Remove Server response headers (OWASP Security Measure) -->
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<!-- Use custom value for the Server info -->
<action type="Rewrite" value="Your Custom Value Here." />
</rule>
</outboundRules>
</rewrite>
</system.webServer>