删除“服务器"来自 ASP.NET Core 2.1 应用程序的标头 [英] Remove "Server" header from ASP.NET Core 2.1 application

问题描述

是否可以删除 ASP.NET Core 2.1 应用程序中的 Server 响应标头(在带有 IIS 10 的 Server 2016 上运行)?

Is it possible to remove the Server Response header in a ASP.NET Core 2.1 application (running on Server 2016 with IIS 10)?

我尝试将以下内容放入 web.config:

I tried putting the following in the web.config:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="sameorigin" />
            <add name="X-XSS-Protection" value="1; mode=block" />
            <add name="X-Content-Type-Options" value="nosniff" />
            <remove name="X-Powered-By" />
            <remove name="Server" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

对 Response 的前四个更改工作正常，但没有删除 Server 标头.我仍然看到红隼"

The first four alterations to the Response worked fine, but the Server header was not removed. I still see "Kestrel"

推荐答案

Kestrel Server 标头在请求管道中添加得太晚了.因此无法通过 web.config 或中间件删除它.

The Kestrel Server header gets added too late in the request pipeline. Therefore removing it via the web.config or via middleware is not possible.

您可以通过设置 AddServerHeader 属性 到 KestrelServerOptions 上的 false，这可以在 Program.cs 中完成.

You can remove the Server header by setting the AddServerHeader property to false on KestrelServerOptions, this can be done in the Program.cs.

    public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
        WebHost.CreateDefaultBuilder(args)
            .UseKestrel(options => options.AddServerHeader = false)
            .UseStartup<Startup>();

这篇关于删除“服务器"来自 ASP.NET Core 2.1 应用程序的标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！