删除/隐藏/禁用过多的HTTP响应头在Azure中/ IIS7没有UrlScan的 [英] Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan
问题描述
我需要删除过多的头(主要是传渗透测试)。我花时间看这涉及运行UrlScan的解决方案,但这些繁琐的 UrlScan的需要每次的Azure实例启动时要安装
I need to remove excessive headers (primarily to pass penetration testing). I have spent time looking at solutions that involve running UrlScan, but these are cumbersome as UrlScan needs to be installed each time an Azure instance is started.
有必须是Azure的一个很好的解决方案,不涉及从STARTUP.CMD部署安装。
There must be a good solution for Azure that does not involve deploying installers from startup.cmd.
据我了解,响应头在不同的地方添加的:
I understand that the response headers are added in different places:
- 服务器:由IIS添加
- X-ASPNET-版本:由System.Web.dll程序在冲洗中的Htt presponse类时添加
- X-AspNetMvc-版本:由MvcHandler在System.Web.dll中加入
- X-技术,通过:由IIS添加
- Server: added by IIS.
- X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
- X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll.
- X-Powered-By: added by IIS
有什么办法(通过web.config文件等?)来配置IIS7删除/隐藏/禁用HTTP响应头,以避免过多的头在的asafaweb.com ,而无需创建一个IIS模块或部署这就需要每次的Azure实例启动时运行安装程序?
Is there any way to configure (via web.config etc.?) IIS7 to remove/hide/disable the HTTP response headers to avoid the "Excessive Headers" warning at asafaweb.com, without creating an IIS module or deploying installers which need to be run each time an Azure instance starts?
推荐答案
下面的变化让你删除Azure中的这些HTTP响应头不的编写自定义HTTP模块。
The following changes allow you to remove these HTTP response headers in Azure without writing a custom HttpModule.
大部分在网上的信息是过时的,并涉及UrlScan的(它已经被整合到IIS7,但与将RemoveServerHeader = 1 选项去掉)。下面是我发现最巧妙的解决方案(感谢这个博客,<一个HREF =http://stackoverflow.com/a/7338448/590558>这个答案和的这个博客组合)。
Most of the information on the net is out of date, and involves UrlScan (which has since been integrated into IIS7, but with the RemoveServerHeader=1 option removed). Below is the neatest solution I've found (thanks to this blog, this answer, and this blog combined).
删除服务器,去Global.asax中,找到/创建 Application_ preSendRequestHeaders 事件,并添加以下(感谢 BK 并的这个博客这也不会在卡西尼/本地开发失败):
To remove Server, go to Global.asax, find/create the Application_PreSendRequestHeaders event and add the following (thanks to BK and this blog this will also not fail on Cassini / local dev):
主编2014年4月:您可以使用preSendRequestHeaders和preSendRequestContext事件与本地IIS模块,但不与实现IHttpModule的管理模块中使用它们。设置这些属性可能导致<一个问题href=\"http://www.asp.net/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet,-and-what-to-do-instead#$p$psend\">asynchronous请求的。正确的版本是使用BeginRequest事件。
Edited April 2014: You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.
protected void Application_BeginRequest(object sender, EventArgs e)
{
var application = sender as HttpApplication;
if (application != null && application.Context != null)
{
application.Context.Response.Headers.Remove("Server");
}
}
要删除的 X-ASPNET-版本,在web.config中找到/创建&LT;&的System.Web GT; 并添加:
To remove X-AspNet-Version, in the web.config find/create <system.web> and add:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
要删除的 X-AspNetMvc-版本,去Global.asax中,找到/创建的Application_Start 事件,并添加一行,如下所示:
To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
要删除的 X-技术,通过,在web.config中找到/创建&LT; system.webServer&GT; 并添加:
To remove X-Powered-By, in the web.config find/create <system.webServer> and add:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
这篇关于删除/隐藏/禁用过多的HTTP响应头在Azure中/ IIS7没有UrlScan的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
