燮pressing HTTP 500响应codeS [英] Suppressing HTTP 500 response codes

问题描述

我有一点从有关网站返回的HTTP 500响应codeS一些威胁和漏洞乡亲反馈。本质上的建议是，必须采取一切可能的措施来避免服务器抛出500（即粗放型输入验证），这是很好的。

I’ve had a bit of feedback from some threat and vulnerability folks relating to websites returning HTTP 500 response codes. Essentially the advice is that all possible measures must be taken to avoid the server throwing a 500 (i.e. extensive form input validation) which is fine.

不过，意见还提出，试图通过诸如插入标记为一个随机的查询字符串导致ASP.NET请求验证火灾或操纵视图状态应该也不会返回HTTP 500显然，本机框架的行为危及安全是间preT请求，并可能抛出一个自定义错误页，但即使这会返回一个500响应code。

However, the advice also suggested that attempts to compromise security by means such as inserting a tag into a random query string causing ASP.NET request validation to fire or manipulating viewstate also should not return an HTTP 500. Obviously the native framework behaviour is to interpret the request and possibly throw to a custom error page but even this will return a 500 response code.

所以我后如何处理这一些想法来的。有什么办法来配置在.NET版本级别或IIS级应用返回一个HTTP 200当500长大的吗？或者，这是否成为Global.asax的水平运动编码在应用程序中的活动之一？是否有其他后果的考虑？

So I’m after some thoughts on how to approach this. Is there any way to configure the app at either the .NET level or IIS level to return an HTTP 200 when a 500 is raised? Or does this become a coding exercise at global.asax level in one of the application events? Are there other consequences to consider?

顺便说一句，从安全性方面的理由是，它会返回HTTP 500应用可能会被机器人随机扫描安全漏洞并进行进一步的恶意行为被视为低挂的果实。尝试我个人不相信改变响应codeS提供任何真正的安全收益，但很高兴hapy采取的利弊的意见。

BTW, the rationale from the security side is that apps which return HTTP 500 may be viewed as "low hanging fruit" by bots randomly scanning for vulnerabilities and prompt further malicious activity. attempts I’m personally not convinced that changing response codes offers any real security gains but am happy to hapy to take the advice of the pros.

推荐答案

要回答你的问题：的Global.asax 是正确的位置，特别是的Application_Error 事件处理程序。你应该能够做到像

To answer your question: global.asax is the correct place, in particular, the Application_Error event handler. You should be able to do something like

Response.StatusCode = 200
Response.StatusDescription = "OK"

有。

PS ：不要这样做。 :-)对我来说，这听起来像是另一种安全通过隐匿按违反标准的方法。我真的不认为（可能是边际）增加安全性是值得打破正确的HTTP行为（想想谷歌索引你的错误页面，等等）。

PS: Don't do it. :-) To me, this sounds like yet another security-by-obscurity-by-violating-standards approach. I really don't think the (possibly marginal) security increase is worth breaking correct HTTP behavior (think about Google indexing your error pages, etc.).

这篇关于燮pressing HTTP 500响应codeS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！