从Azure PaaS托管网站中删除敏感标头 [英] Remove sensitive Headers from Azure PaaS hosted Websites
问题描述
If you follow this article Azure Blog, you can remove the Server, X-Powered-By and MVC version which is great.
您还可以通过以下方法使用自定义IIS模块实现类似的功能:
You can also achieve similar with a custom IIS module with the following method:
private void OnPreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current?.Response.Headers.Remove("Server");
HttpContext.Current?.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current?.Response.Headers.Remove("X-AspNetMvc-Version");
HttpContext.Current?.Response.Headers.Remove("X-Powered-By");
}
但是,如果您发送以下查询字符串:
However, if you send the following query string:
https:// yourAppService .azurewebsites.net/ test.txt:
https://yourAppService.azurewebsites.net/test.txt:
您可以避免执行所有步骤以避免发送标头,以防止潜在的黑客入侵.
You manage to avoid all the steps you've taken to avoid sending the headers you are trying to keep away from potential hackers.
样品申请
样品响应:
是否有一种方法可以从 ALL 响应中完全删除这些标头,而不仅仅是请求应用程序能够妥善处理?我设法从99%的回复中删除了标头,但不是全部!
Is there a way to completely remove these headers from ALL responses, and not just requests the app manages to handle gracefully? I have managed to remove the headers from 99% of responses, but not all!
我还发现您是否使用PostMan向GET请求发送
I have also found if you use PostMan to send a GET request to
https://yourSite.azurewebsites.net/ 400errortest%00
你得到
/test.txt:的请求已由MS报告,已于2017年6月26日修复.我可以确认此情况已解决.
The request to /test.txt: was reported fixed by MS on the 26th June 2017. I can confirm it is fixed for this scenario.
请求访问 https://yourSite.azurewebsites.net/ 400errortest%00 通过PostMan仍然返回了一个不太好的服务器头.
Requests to https://yourSite.azurewebsites.net/400errortest%00 via PostMan still return a Server Header which is not great.
推荐答案
如果我们使用带:
的url结尾访问azure网站,我们将得到500错误,则默认操作应为404错误. Azure团队打开了一个内部 bug ,并计划对其进行修复.
If we use the url end with :
to visit the azure website that we will get 500 error, the default action should be 404 error. Azure team opened an internal bug and plan to fix it.
这篇关于从Azure PaaS托管网站中删除敏感标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!