如何从Azure Web应用程序中删除过多的响应标头信息? [英] How can I remove excessive response header information from Azure Web-Apps?

问题描述

我有一个部署在Azure Web应用程序上的MVC项目.我正在尝试删除过多的标题信息.我尝试删除此信息的原因是因为它是一种标准的安全措施.(参考)

I have an MVC project that I deploy on Azure Web-Apps. I'm trying to remove the excessive header information. The reason I'm trying to remove this information is because it's a standard security practice. (Reference)

我正在尝试从响应标头中删除以下信息:

I'm trying to remove the below information from response headers:

Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-POWERED-BY: PHP/5.4.38
X-POWERED-BY: ASP.NET

我的Global.asax.cs文件中包含以下代码:

I have the following code in my Global.asax.cs file:

protected void Application_PreSendRequestHeaders()
{
    Response.Headers.Remove("Server");
    Response.Headers.Remove("X-AspNet-Version");
    Response.Headers.Remove("X-AspNetMvc-Version");
}

但这不会影响结果.

推荐答案

尝试以下方法:

 protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
     HttpContext.Current.Response.Headers.Remove("Server");
     HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
     HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
 }

此外，在Application_Start中，按照以下说明进行调用

Additionally, in the Application_Start call it with the following instruction

PreSendRequestHeaders += Application_PreSendRequestHeaders;

要删除X-AspNet-Version，请在web.config中查找/创建并添加:

To remove X-AspNet-Version, in the web.config find/create and add:

<system.web>
    <httpRuntime enableVersionHeader="false" />
    ...
</system.web>

要删除X-AspNetMvc-Version，请转到Global.asax，找到/创建Application_Start事件并添加一行，如下所示:

To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:

protected void Application_Start() {
    MvcHandler.DisableMvcResponseHeader = true;
}

要删除X-Powered-By，请在web.config中查找/创建并添加:

To remove X-Powered-By, in the web.config find/create and add:

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
    ...
</system.webServer>

通过将其添加到您的webconfig中，您应该能够强制所有请求通过托管代码:

You should be able to force all requests to go through your managed code by adding this to your webconfig:

<modules runAllManagedModulesForAllRequests="true">

即使静态文件和未找到的资源也应遵守标头规则.

Even static files and not-found resources should obey your header rules.

• http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html

查看全文