asp.net 移除Server, X-Powered-By, 和X-AspNet-Version头

我们在开发Asp.net中,最后部署在IIS上. 然后发送HTTP请求,返回的HTTP头中包含Server, X-Powered-By, 和 X-AspNet-Version信息. 这些信息有时给攻击者找寻你的站点漏洞提供的依据. 如下图我们通过FireBug查看到:

2011-08-07_header

        移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:

 <httpRuntime enableVersionHeader="false" />

       

    public class RemoveServerInfoModule : IHttpModule
    {
        #region IHttpModule Members
        public void Dispose()
        {
            //no code nescessary
        }

        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);
        }

        void context_PreSendRequestHeaders(object sender, EventArgs e)
        {
            // strip the "Server" header from the current Response 
            HttpContext.Current.Response.Headers.Remove("Server");
        }
        #endregion
    }

上面这段代码会arise exceptioin,我们最好这样实现PreSendRequestHeaders方法:

        void context_PreSendRequestHeaders(object sender, EventArgs e)
        {
            try
            {
                HttpApplication app = sender as HttpApplication;
                if (null != app && null != app.Request && !app.Request.IsLocal && null != app.Context && null != app.Context.Response)
                {
                    var headers = app.Context.Response.Headers;
                    if (null != headers)
                    {
                        headers.Remove("Server");
                    }
                }
            }
            catch (Exception)
            {
                throw;
            }
        }

最后在Web.config中配置这个HttpModule:

    <httpModules>
      <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
    </httpModules>

  For IIS 7:

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" >
      <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
    </modules>
  </system.webServer>

       这样就OK了, 你再运行Asp.net web application时, Server,X-AspNet-Version等信息已经不显示了.

       希望对您开发,有帮助.

 

posted @ 2014-11-21 15:46  hg一如既往  阅读(2634)  评论(0编辑  收藏  举报