Asp.net移除Server, X-Powered-By, 和X-AspNet-Version头
2011-08-07 13:29
465 查看
我们在开发Asp.net中,最后部署在IIS上.然后发送HTTP请求,返回的HTTP头中包含Server,X-Powered-By,和X-AspNet-Version信息.这些信息有时给攻击者找寻你的站点漏洞提供的依据.如下图我们通过FireBug查看到:
移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:
移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:
<httpRuntimeenableVersionHeader="false"/>
移除Server呢,我们可以写一个自定义HttpModule,看下来代码:
namespaceMyWeb
{
publicclassRemoveServerInfoModule:IHttpModule
{
#regionIHttpModuleMembers
publicvoidDispose(){
//nocodenescessary
}
publicvoidInit(HttpApplicationcontext)
{
context.PreSendRequestHeaders+=newEventHandler(context_PreSendRequestHeaders);
}
voidcontext_PreSendRequestHeaders(objectsender,EventArgse)
{
//stripthe"Server"headerfromthecurrentResponse
HttpContext.Current.Response.Headers.Remove("Server");
}
#endregion
}
}
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
上面这段代码会ariseexceptioin,我们最好这样实现PreSendRequestHeaders方法:
voidcontext_PreSendRequestHeaders(objectsender,EventArgse)
{
try
{
HttpApplicationapp=senderasHttpApplication;
if(null!=app&&null!=app.Request&&!app.Request.IsLocal&&null!=app.Context&&null!=app.Context.Response)
{
varheaders=app.Context.Response.Headers;
if(null!=headers)
{
headers.Remove("Server");
}
}
}
catch(Exceptionex)
{
Log.HandleException(ex);
}
}
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
最后在Web.config中配置这个HttpModule:
<httpModules>
<addname="RemoveServerInfoModule"type="MyWeb.RemoveServerInfoModule"/>
</httpModules>
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
ForIIS7:
<system.webServer>
<modulesrunAllManagedModulesForAllRequests="true">
<addname="RemoveServerInfoModule"type="MyWeb.RemoveServerInfoModule"/>
</modules>
</system.webServer
.csharpcode,.csharpcodepre
{
font-size:small;
color:black;
font-family:consolas,"CourierNew",courier,monospace;
background-color:#ffffff;
/*white-space:pre;*/
}
.csharpcodepre{margin:0em;}
.csharpcode.rem{color:#008000;}
.csharpcode.kwrd{color:#0000ff;}
.csharpcode.str{color:#006080;}
.csharpcode.op{color:#0000c0;}
.csharpcode.preproc{color:#cc6633;}
.csharpcode.asp{background-color:#ffff00;}
.csharpcode.html{color:#800000;}
.csharpcode.attr{color:#ff0000;}
.csharpcode.alt
{
background-color:#f4f4f4;
width:100%;
margin:0em;
}
.csharpcode.lnum{color:#606060;}
这样就OK了,你再运行Asp.netwebapplication时,Server,X-AspNet-Version等信息已经不显示了.
希望对您开发,有帮助.
作者:
出处:
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。
该文章也同时发布在我的独立博客中-
相关文章推荐
- asp.net 移除Server, X-Powered-By, 和X-AspNet-Version头
- (翻译) 怎样移除IIS 响应中的 Server, X-AspNet-Version, X-AspNetMvc-Version 和 X-Powered-By
- IIS安全工具UrlScan介绍 ASP.NET 两种超强SQL 注入免费解决方案( 基于IIS,使用免费工具) 批改或隐藏IIS7.5的Server头信息 移除X-Powered-By,MVC,ASP.NET_SessionId 的 HTTP头或者cookie名称
- DropDownList无限级分类(灵活控制显示形式) ASP.net|论坛 - 深博技术论坛 - Powered by Discuz!NT
- IIS删除http header信息如Server, X-Powered-By, 和X-AspNet-Version
- IIS删除http header信息如Server, X-Powered-By, 和X-AspNet-Version
- HOW TO: Upload a File to a Web Server in ASP.NET by Using Visual Basic .NET
- IIS删除http header信息如Server, X-Powered-By, 和X-AspNet-Version
- ASP.NET 在域控制器上使用默认 ASPNET 帐户不能正常运行!
- 解决ASP.NET中从GridView导出Execel出现的“空间GridView必须置于有runat=server的窗体标记中”问题
- 无法序列化会话状态。在“StateServer”或“SQLServer”模式下,ASP.NET 将序列化会话状态对象,因此不允许使用无法序列化的对象或 MarshalByRef 对象。如果自定义会话状态存储在“Custom”模式下执行了类似的序列化,则适用同样的限制。
- ASP.NET 使用mode=”InProc”方式保存Session老是丢失,无奈改成StateServer 模式。
- 关于ASP.NET中使用SMTP server发送邮件的IIS配置
- Saving and Displaying Photos in SQL Server using ASP.NET and FileUpload Control
- ASP.NET DEVELOPMENT SERVER 未能开始侦听端口xxxxx
- 去掉搜索引擎中的Powered By Dvbbs.net (动网论坛)
- ASP.NET Core的身份认证框架IdentityServer4(4)- 支持的规范
- ASP.NET组件设计Step by Step(8)
- 如果你想深刻理解ASP.NET Core请求处理管道,可以试着写一个自定义的Server
- ASP.NET中Server.MapPath的几种用法