在没有 UrlScan 的情况下删除/隐藏/禁用 Azure/IIS7 中过多的 HTTP 响应标头 [英] Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan
问题描述
我需要删除过多的标题(主要是为了通过渗透测试).我花时间研究了涉及运行 UrlScan 的解决方案,但这些解决方案很麻烦,因为 每次启动 Azure 实例时都需要安装 UrlScan.
I need to remove excessive headers (primarily to pass penetration testing). I have spent time looking at solutions that involve running UrlScan, but these are cumbersome as UrlScan needs to be installed each time an Azure instance is started.
必须有一个很好的 Azure 解决方案,不涉及从 startup.cmd 部署安装程序.
There must be a good solution for Azure that does not involve deploying installers from startup.cmd.
我了解响应标头添加在不同的地方:
I understand that the response headers are added in different places:
- 服务器:由 IIS 添加.
- X-AspNet-Version:由System.Web.dll在HttpResponse类Flush时添加
- X-AspNetMvc-Version:由 System.Web.dll 中的 MvcHandler 添加.
- X-Powered-By:由 IIS 添加
- Server: added by IIS.
- X-AspNet-Version: added by System.Web.dll at the time of Flush in HttpResponse class
- X-AspNetMvc-Version: Added by MvcHandler in System.Web.dll.
- X-Powered-By: added by IIS
有什么方法可以配置(通过 web.config 等?)IIS7 来删除/隐藏/禁用 HTTP 响应标头以避免 asafaweb.com,无需创建 IIS 模块或部署每次 Azure 实例启动时都需要运行的安装程序?
Is there any way to configure (via web.config etc.?) IIS7 to remove/hide/disable the HTTP response headers to avoid the "Excessive Headers" warning at asafaweb.com, without creating an IIS module or deploying installers which need to be run each time an Azure instance starts?
推荐答案
以下更改允许您在 Azure 中删除这些 HTTP 响应标头而无需编写自定义 HttpModule.
The following changes allow you to remove these HTTP response headers in Azure without writing a custom HttpModule.
网上的大部分信息都已过时,涉及 UrlScan(此后已集成到 IIS7 中,但删除了 RemoveServerHeader=1 选项).下面是我找到的最简洁的解决方案(感谢 这个博客、这个答案和此博客 合并).
Most of the information on the net is out of date, and involves UrlScan (which has since been integrated into IIS7, but with the RemoveServerHeader=1 option removed). Below is the neatest solution I've found (thanks to this blog, this answer, and this blog combined).
要删除服务器,请转到 Global.asax,找到/创建 Application_PreSendRequestHeaders 事件并添加以下内容(感谢 BK 和 这个博客 这也不会在 Cassini/本地开发上失败):
To remove Server, go to Global.asax, find/create the Application_PreSendRequestHeaders event and add the following (thanks to BK and this blog this will also not fail on Cassini / local dev):
2014 年 4 月您可以将 PreSendRequestHeaders 和 PreSendRequestContext 事件与本机 IIS 模块一起使用,但不要将它们与实现 IHttpModule 的托管模块一起使用.设置这些属性可能会导致 异步请求.正确的版本是使用 BeginRequest 事件.
Edited April 2014: You can use the PreSendRequestHeaders and PreSendRequestContext events with native IIS modules, but do not use them with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The correct version is to use BeginRequest event.
protected void Application_BeginRequest(object sender, EventArgs e)
{
var application = sender as HttpApplication;
if (application != null && application.Context != null)
{
application.Context.Response.Headers.Remove("Server");
}
}
要删除 X-AspNet-Version,在 web.config 中查找/创建
To remove X-AspNet-Version, in the web.config find/create <system.web> and add:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
要删除 X-AspNetMvc-Version,请转到 Global.asax,找到/创建 Application_Start 事件并添加如下一行:
To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
要删除 X-Powered-By,在 web.config 中找到/创建
To remove X-Powered-By, in the web.config find/create <system.webServer> and add:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
这篇关于在没有 UrlScan 的情况下删除/隐藏/禁用 Azure/IIS7 中过多的 HTTP 响应标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
