在仅HTTPS站点上对HTTP HEAD请求的正确响应 [英] Correct response to HTTP HEAD Request on HTTPS only site

问题描述

我们有一个只能通过HTTPS访问的ASP.Net MVC3站点，使用控制器上的RequireHTTPS属性。

We have an ASP.Net MVC3 site only accessible over HTTPS, by using the RequireHTTPS attribute on the controller.

我们收到大量的HTTP HEAD方法请求，主要是从看似Twitter的机器人。默认的ASP.Net/MVC3响应是'500内部服务器错误'，正在被elmah和log4net捕获/记录（现已过滤掉！）。

We are receiving numerous HTTP HEAD method requests, mainly from what appear to be Twitter bots. The default ASP.Net/MVC3 response is a '500 Internal Server Error', and are being caught/logged by elmah and log4net (now filtered out!).

I可以编写一个特定的控制器和路由来处理这些非HTTPS请求 - 在asp.NET MVC 3中响应HEAD请求。

I could write a specific controller and route to handle these non-HTTPS requests as per this question - Responding to HEAD Request in asp.NET MVC 3.

但是，从机器人的角度来看，什么是最好的响应？ 200显示服务器是活动的，302重定向到HTTPS网址，还是坚持500，因为网站无法通过HTTP访问？

But, from the bots perspective what would be the best response? 200 to show the server is alive, a 302 redirect to the HTTPS url, or stick with the 500 as the site isn't accessible over HTTP?

推荐答案

您可以回复

405 Method Not Allowed

这意味着

请求行中指定的方法是不允许使用Request-URI标识的资源。响应必须包含一个Allow标头，其中包含所请求资源的有效方法列表。

The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource.

或

501 Not Implemented

意味着

服务器不支持完成请求所需的功能。当服务器无法识别请求方法且无法为任何资源支持时，这是适当的响应。

The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource.

就个人而言，我会使用 405 ，因为它在客户端出错，嘿嘿，我们不在这里提供这些东西。似乎比我更合适你到底在说什么？我不明白。一，后者是由建议服务器无法识别请求方法位 501 描述。

Personally, I would go with the 405 since it's an error on the client side, a "Hey man, we don't serve that stuff here." seems more appropriate to me than "What the hell are you talking about? I don't understand it." one, the latter is suggested by the the server does not recognize the request method bit of the 501 description.

所有HTTP状态代码：http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

All the HTTP status codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

这篇关于在仅HTTPS站点上对HTTP HEAD请求的正确响应的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！