C# 从 IIS 7/8 中的静态内容中删除服务器标头
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17305195/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Removing Server header from static content in IIS 7/8
提问by Chris Doggett
As part of an effort to make our API and site more secure, I'm removing headers that leak information about what the site is running.
作为使我们的 API 和站点更安全的努力的一部分,我正在删除泄漏有关站点运行内容的信息的标头。
Example before stripping headers:
剥离标题前的示例:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687
Web.config:
网页配置:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
Global.asax.cs:
Global.asax.cs:
protected void Application_PreSendRequestHeaders() {
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
Response.AddHeader("Strict-Transport-Security", "max-age=300");
Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
}
And after that, all calls to the site and API return safer headers, like so:
之后,对站点和 API 的所有调用都会返回更安全的标头,如下所示:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687
So far, so good. However, I've noticed in Firebug that if you look at static content (loading.gif, for example), it still includes the server header.
到现在为止还挺好。但是,我在 Firebug 中注意到,如果您查看静态内容(例如,loading.gif),它仍然包含服务器标头。
HTTP/1.1 304 Not Modified
Cache-Control: no-cache
Accept-Ranges: bytes
Etag: "a3f2a35bdf45ce1:0"
Server: Microsoft-IIS/8.0
Date: Tue, 25 Jun 2013 18:33:16 GMT
I'm assuming this is being handled by IIS somehow, but can't find anywhere to remove that header. I've tried adding:
我假设这是由 IIS 以某种方式处理的,但找不到任何地方可以删除该标头。我试过添加:
<remove name="Server" />
to the httpProtocol/customHeaders section in Web.config, as mentioned above. I've also tried going into the IIS Manager's HTTP Response Headers section and adding a fake name/value pair for the Server header. In both cases, it still returns
到 Web.config 中的 httpProtocol/customHeaders 部分,如上所述。我还尝试进入 IIS 管理器的 HTTP 响应标头部分并为服务器标头添加一个假名称/值对。在这两种情况下,它仍然返回
Server: Microsoft-IIS/8.0
when loading any images, CSS, or JS. Where/what do I need to set something to fix this?
加载任何图像、CSS 或 JS 时。我需要在哪里/什么设置一些东西来解决这个问题?
采纳答案by Bill Gregg
You should be able to force all requests to go through your managed code by adding this to your webconfig:
您应该能够通过将其添加到您的 webconfig 来强制所有请求通过您的托管代码:
<modules runAllManagedModulesForAllRequests="true">
Then, even static files should adhere to your header rules.
然后,即使是静态文件也应该遵守您的标题规则。
回答by Gabriel
The same way that's in this answer, and in this website:, you should use the following steps:
与此答案和此网站中的方法相同:,您应该使用以下步骤:
C#:
C#:
namespace MvcExtensions.Infrastructure
{
public class CustomServerName : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += OnPreSendRequestHeaders;
}
public void Dispose() { }
void OnPreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
}
}
}
Web.config:
网页配置:
<system.webServer>
<modules>
<add name="CustomHeaderModule" type="MvcExtensions.Infrastructure.CustomServerName" />
</modules>
</system.webServer>
回答by ph1ll
Unfortunately managed code modules only work for code passing through the ASP.NET pipeline, whilst others have correctly suggested it is possible to force all requests through managed code, I personally feel this is less than desirable.
不幸的是,托管代码模块仅适用于通过 ASP.NET 管道传递的代码,而其他人正确地建议可以通过托管代码强制所有请求,我个人觉得这不太理想。
In order to remove headers from all requests, including static content, which by default is served directly and not through managed code, it is possible to use a Native-Code module. Unfortunately Native-Code modules are a little more difficult to write as they use the win32 APIs rather than ASP.NET, however in my experience they are much more suitable to removing headers.
为了从所有请求中删除标头,包括默认情况下直接提供而不是通过托管代码提供的静态内容,可以使用 Native-Code 模块。不幸的是,本机代码模块编写起来有点困难,因为它们使用 win32 API 而不是 ASP.NET,但是根据我的经验,它们更适合删除标头。
The following link has binaries and source code for a Native-Code module that can be used to remove headers. It requires no extra configuration to remove the "Server" headers, but other headers to remove can be added in the IIS configuration.
以下链接包含可用于删除标头的 Native-Code 模块的二进制文件和源代码。删除“服务器”标头不需要额外的配置,但可以在 IIS 配置中添加要删除的其他标头。
http://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
http://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85
回答by Aathira
Use the IIS UrlRewrite 2.0 for blanking the Server response header. Add following code in the Web.config file
使用 IIS UrlRewrite 2.0 来清空服务器响应标头。在 Web.config 文件中添加以下代码
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove RESPONSE_Server" >
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
回答by hexpoint
The only one without an easy listed solution for was the "Server" header. I was able to remove it locally in IIS and in an Azure web site by adding this in the web.config
唯一没有简单列出的解决方案是“服务器”标头。通过在 web.config 中添加它,我能够在 IIS 和 Azure 网站中本地删除它
<system.webServer>
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
