在我的Web API中,我正在丰富POST请求并将其转发到另一个URL。 邮递员用于发出邮政请求。
操作:POST到http://private.store.internal/api/pay
请求被转发到支付服务器。为了进行测试,我指定了“www.google.com”作为请求转发到的URL(当然,对于帖子请求不能做任何事情)
var newRequest = new HttpRequestMessage(HttpMethod.Post, request.DesiredDestination);
var response = await httpClient.SendAsync(newRequest, cancellation);
当我检查“newRequest”变量时,Headers集合包含“Host”字段,该字段包含URL的值,我的API托管在f.e.
private.store.internal
这是预期的,谷歌服务器返回的标题是:
"responseHeaders": [
{
"key": "Referrer-Policy",
"value": [ "no-referrer" ]
},
{
"key": "Alt-Svc",
"value": ["quic=\":443\"; ma=2592000; v=\"41,39,38,37,35\""]
},
{
"key": "Date",
"value": ["Wed, 25 Oct 2017 12:15:57 GMT" ]
},
{
"key": "Content-Length",
"value": ["1561"]
},
{
"key": "Content-Type",
"value": ["text/html; charset=UTF-8"]
}
],
"content": "<!DOCTYPE html>\n<html lang=en>\n <meta charset=utf-8>\n <meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\">\n <title>Error 404 (Not Found)!!1</title>\n <style>\n...
现在我不想将托管API的信息转发到(真实)付款服务器,所以我只是删除了“主机”字段:
newRequest.Headers.Remove("Host");
但是这会改变请求转发到的服务器的行为。 现在响应是
"responseHeaders": [
{
"key": "X-XSS-Protection",
"value": ["1; mode=block"]
},
{
"key": "X-Frame-Options",
"value": ["SAMEORIGIN"]
},
{
"key": "Alt-Svc",
"value": ["quic=\":443\"; ma=2592000; v=\"41,39,38,37,35\""]
},
{
"key": "Date",
"value": ["Wed, 25 Oct 2017 12:18:52 GMT"]
},
{
"key": "Server",
"value": ["gws"]
},
{
"key": "Content-Length",
"value": ["1589"]
},
{
"key": "Allow",
"value": ["GET","HEAD"]
},
{
"key": "Content-Type",
"value": ["text/html; charset=UTF-8"]
}
],
"content": "<!DOCTYPE html>\n<html lang=en>\n <meta charset=utf-8>\n <meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\">\n <title>Error 405 (Method Not Allowed)!!1
完全不同。我的问题是:为什么更改/删除Host属性(=我的API调用的地方)会更改Web服务器的响应?
答案 0 :(得分:0)
很明显。您发出请求的Web服务器取决于您发送的标头,方法等。例如,某些Web服务器会阻止没有.join("")标头的请求,因为它可能是一个漏洞。