asp.net 移除Server, X-Powered-By, 和X-AspNet-Version头
2014-11-21 15:46
375 查看
我们在开发Asp.net中,最后部署在IIS上. 然后发送HTTP请求,返回的HTTP头中包含Server, X-Powered-By, 和 X-AspNet-Version信息. 这些信息有时给攻击者找寻你的站点漏洞提供的依据. 如下图我们通过FireBug查看到:
移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:
上面这段代码会arise exceptioin,我们最好这样实现PreSendRequestHeaders方法:
最后在Web.config中配置这个HttpModule:
For IIS 7:
这样就OK了, 你再运行Asp.net web application时, Server,X-AspNet-Version等信息已经不显示了.
希望对您开发,有帮助.
移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:
<httpRuntime enableVersionHeader="false" />
public class RemoveServerInfoModule : IHttpModule { #region IHttpModule Members public void Dispose() { //no code nescessary } public void Init(HttpApplication context) { context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders); } void context_PreSendRequestHeaders(object sender, EventArgs e) { // strip the "Server" header from the current Response HttpContext.Current.Response.Headers.Remove("Server"); } #endregion }
上面这段代码会arise exceptioin,我们最好这样实现PreSendRequestHeaders方法:
void context_PreSendRequestHeaders(object sender, EventArgs e) { try { HttpApplication app = sender as HttpApplication; if (null != app && null != app.Request && !app.Request.IsLocal && null != app.Context && null != app.Context.Response) { var headers = app.Context.Response.Headers; if (null != headers) { headers.Remove("Server"); } } } catch (Exception) { throw; } }
最后在Web.config中配置这个HttpModule:
<httpModules> <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/> </httpModules>
For IIS 7:
<system.webServer> <modules runAllManagedModulesForAllRequests="true" > <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/> </modules> </system.webServer>
这样就OK了, 你再运行Asp.net web application时, Server,X-AspNet-Version等信息已经不显示了.
希望对您开发,有帮助.
相关文章推荐
- Asp.net移除Server, X-Powered-By, 和X-AspNet-Version头
- (翻译) 怎样移除IIS 响应中的 Server, X-AspNet-Version, X-AspNetMvc-Version 和 X-Powered-By
- IIS安全工具UrlScan介绍 ASP.NET 两种超强SQL 注入免费解决方案( 基于IIS,使用免费工具) 批改或隐藏IIS7.5的Server头信息 移除X-Powered-By,MVC,ASP.NET_SessionId 的 HTTP头或者cookie名称
- DropDownList无限级分类(灵活控制显示形式) ASP.net|论坛 - 深博技术论坛 - Powered by Discuz!NT
- IIS删除http header信息如Server, X-Powered-By, 和X-AspNet-Version
- IIS删除http header信息如Server, X-Powered-By, 和X-AspNet-Version
- HOW TO: Upload a File to a Web Server in ASP.NET by Using Visual Basic .NET
- IIS删除http header信息如Server, X-Powered-By, 和X-AspNet-Version
- Using SQL Server for asp.net session state
- ASP.NET组件编程step by step
- ASP.NET组件设计Step by Step(2)
- ATL Server 与 ASP.NET
- Cool Tips and Tricks with ASP.NET 2.0 posted by Scott
- Server side Message box in ASP.Net
- Keep Sites Running Smoothly By Avoiding These 10 Common ASP.NET Pitfalls
- ASP.NET 在域控制器上使用默认 ASPNET 帐户不能正常运行!
- [导入]ASP.NET中使用多个runat=server form
- 在域控制器中使用默认ASPNET 帐户时ASP.NET 不能正常运行
- ASP.NET组件编程step by step
- ASP.NET组件编程step by step(转)