如何从Azure Web应用程序中删除过多的响应标头信息? [英] How can I remove excessive response header information from Azure Web-Apps?
问题描述
我有一个部署在Azure Web应用程序上的MVC项目.我正在尝试删除过多的标题信息.我尝试删除此信息的原因是因为它是一种标准的安全措施.(参考)
I have an MVC project that I deploy on Azure Web-Apps. I'm trying to remove the excessive header information. The reason I'm trying to remove this information is because it's a standard security practice. (Reference)
我正在尝试从响应标头中删除以下信息:
I'm trying to remove the below information from response headers:
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-POWERED-BY: PHP/5.4.38
X-POWERED-BY: ASP.NET
我的Global.asax.cs文件中包含以下代码:
I have the following code in my Global.asax.cs file:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
但这不会影响结果.
推荐答案
尝试以下方法:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}
此外,在Application_Start中,按照以下说明进行调用
Additionally, in the Application_Start call it with the following instruction
PreSendRequestHeaders += Application_PreSendRequestHeaders;
要删除X-AspNet-Version,请在web.config中查找/创建并添加:
To remove X-AspNet-Version, in the web.config find/create and add:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
</system.web>
要删除X-AspNetMvc-Version,请转到Global.asax,找到/创建Application_Start事件并添加一行,如下所示:
To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:
protected void Application_Start() {
MvcHandler.DisableMvcResponseHeader = true;
}
要删除X-Powered-By,请在web.config中查找/创建并添加:
To remove X-Powered-By, in the web.config find/create and add:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
通过将其添加到您的webconfig中,您应该能够强制所有请求通过托管代码:
You should be able to force all requests to go through your managed code by adding this to your webconfig:
<modules runAllManagedModulesForAllRequests="true">
即使静态文件和未找到的资源也应遵守标头规则.
Even static files and not-found resources should obey your header rules.