从静态内容在IIS 7/8删除Server头 [英] Removing Server header from static content in IIS 7/8
问题描述
作为,努力使我们的API和网站更加安全的一部分,我去除泄漏有关网站正在运行哪些信息的标题。
As part of an effort to make our API and site more secure, I'm removing headers that leak information about what the site is running.
剥头之前,例如:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687
Web.config文件:
Web.config:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
的Global.asax.cs:
Global.asax.cs:
protected void Application_PreSendRequestHeaders() {
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
Response.AddHeader("Strict-Transport-Security", "max-age=300");
Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
}
而在此之后,该网站和API的所有调用返回更加安全的头,像这样:
And after that, all calls to the site and API return safer headers, like so:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687
到目前为止,一切都很好。不过,我在Firebug已经注意到,如果你看一下静态内容(loading.gif,例如),它仍包含服务器头。
So far, so good. However, I've noticed in Firebug that if you look at static content (loading.gif, for example), it still includes the server header.
HTTP/1.1 304 Not Modified
Cache-Control: no-cache
Accept-Ranges: bytes
Etag: "a3f2a35bdf45ce1:0"
Server: Microsoft-IIS/8.0
Date: Tue, 25 Jun 2013 18:33:16 GMT
我假设这是由IIS处理弄好了,但到处都找不到删除该头。我试着加入:
I'm assuming this is being handled by IIS somehow, but can't find anywhere to remove that header. I've tried adding:
<remove name="Server" />
为上述Web.config中的httpProtocol / customHeaders部分。我也尝试进入IIS管理器的HTTP响应头部分,并增加了对服务器头一个假的名称/值对。在这两种情况下,仍返回
to the httpProtocol/customHeaders section in Web.config, as mentioned above. I've also tried going into the IIS Manager's HTTP Response Headers section and adding a fake name/value pair for the Server header. In both cases, it still returns
Server: Microsoft-IIS/8.0
加载任何图像,CSS的时候,还是JS
。在哪里/我需要做什么设置的东西来解决这个问题?
when loading any images, CSS, or JS. Where/what do I need to set something to fix this?
推荐答案
您应该能够通过添加以下内容到webconfig强制所有请求通过你的管理code:
You should be able to force all requests to go through your managed code by adding this to your webconfig:
<modules runAllManagedModulesForAllRequests="true">
那么,即使静态文件要坚持你的头的规则。
Then, even static files should adhere to your header rules.
这篇关于从静态内容在IIS 7/8删除Server头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!