从静态内容在IIS 7/8删除Server头 [英] Removing Server header from static content in IIS 7/8

问题描述

作为，努力使我们的API和网站更加安全的一部分，我去除泄漏有关网站正在运行哪些信息的标题。

As part of an effort to make our API and site more secure, I'm removing headers that leak information about what the site is running.

剥头之前，例如：

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687

Web.config文件：

Web.config:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

的Global.asax.cs：

Global.asax.cs:

protected void Application_PreSendRequestHeaders() {
    Response.Headers.Remove("Server");
    Response.Headers.Remove("X-AspNet-Version");
    Response.Headers.Remove("X-AspNetMvc-Version");
    Response.AddHeader("Strict-Transport-Security", "max-age=300");
    Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
}

而在此之后，该网站和API的所有调用返回更加安全的头，像这样：

And after that, all calls to the site and API return safer headers, like so:

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687

到目前为止，一切都很好。不过，我在Firebug已经注意到，如果你看一下静态内容（loading.gif，例如），它仍包含服务器头。

So far, so good. However, I've noticed in Firebug that if you look at static content (loading.gif, for example), it still includes the server header.

HTTP/1.1 304 Not Modified
Cache-Control: no-cache
Accept-Ranges: bytes
Etag: "a3f2a35bdf45ce1:0"
Server: Microsoft-IIS/8.0
Date: Tue, 25 Jun 2013 18:33:16 GMT

我假设这是由IIS处理弄好了，但到处都找不到删除该头。我试着加入：

I'm assuming this is being handled by IIS somehow, but can't find anywhere to remove that header. I've tried adding:

<remove name="Server" /> 

为上述Web.config中的httpProtocol / customHeaders部分。我也尝试进入IIS管理器的HTTP响应头部分，并增加了对服务器头一个假的名称/值对。在这两种情况下，仍返回

to the httpProtocol/customHeaders section in Web.config, as mentioned above. I've also tried going into the IIS Manager's HTTP Response Headers section and adding a fake name/value pair for the Server header. In both cases, it still returns

Server: Microsoft-IIS/8.0

加载任何图像，C​​SS的时候，还是JS

。在哪里/我需要做什么设置的东西来解决这个问题？

when loading any images, CSS, or JS. Where/what do I need to set something to fix this?

推荐答案

您应该能够通过添加以下内容到webconfig强制所有请求通过你的管理code：

You should be able to force all requests to go through your managed code by adding this to your webconfig:

<modules runAllManagedModulesForAllRequests="true">

那么，即使静态文件要坚持你的头的规则。

Then, even static files should adhere to your header rules.

这篇关于从静态内容在IIS 7/8删除Server头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！