asp.net 移除Server, X-Powered-By, 和X-AspNet-Version头
我们在开发Asp.net中,最后部署在IIS上. 然后发送HTTP请求,返回的HTTP头中包含Server, X-Powered-By, 和 X-AspNet-Version信息. 这些信息有时给攻击者找寻你的站点漏洞提供的依据. 如下图我们通过FireBug查看到:
移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:
<httpRuntime enableVersionHeader="false" />
public class RemoveServerInfoModule : IHttpModule { #region IHttpModule Members public void Dispose() { //no code nescessary } public void Init(HttpApplication context) { context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders); } void context_PreSendRequestHeaders(object sender, EventArgs e) { // strip the "Server" header from the current Response HttpContext.Current.Response.Headers.Remove("Server"); } #endregion }
上面这段代码会arise exceptioin,我们最好这样实现PreSendRequestHeaders方法:
void context_PreSendRequestHeaders(object sender, EventArgs e) { try { HttpApplication app = sender as HttpApplication; if (null != app && null != app.Request && !app.Request.IsLocal && null != app.Context && null != app.Context.Response) { var headers = app.Context.Response.Headers; if (null != headers) { headers.Remove("Server"); } } } catch (Exception) { throw; } }
最后在Web.config中配置这个HttpModule:
<httpModules> <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/> </httpModules>
For IIS 7:
<system.webServer> <modules runAllManagedModulesForAllRequests="true" > <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/> </modules> </system.webServer>
这样就OK了, 你再运行Asp.net web application时, Server,X-AspNet-Version等信息已经不显示了.
希望对您开发,有帮助.