it-swarm.cn

如何删除IIS / ASP.NET响应标头

我有几个IIS/6.0服务器,安全性要求我删除几个响应标头,这些响应标头根据请求发送到客户端浏览器。他们担心通过响应头泄露平台信息。我已从网站的IIS=)配置中删除了所有HTTP-HEADERS(X-Powered-By或某些此类标题)。

(我个人确实知道即使隐藏了这些信息也很容易找到,但这不是我的电话。)

我要删除的标题:

  • 服务器-Microsoft-IIS/6.0
  • X-AspNet版本-2.0.50727

我也知道ASP.NET MVC也会发出自己的标头,如果您也知道如何删除它,那将会很有帮助。

  • X-AspNetMvc-Version-1.0
48
Bryan Rehbein

您的安全部门希望您执行此操作,以使服务器类型更难识别。这可能会减少自动黑客工具的数量,并使人们更难以侵入服务器。

在IIS中,打开网站属性,然后转到“ HTTP标头”选项卡。大多数X-标头都可以在此处找到并删除。可以为单个站点或整个服务器完成此操作(修改树中“ Web站点”对象的属性)。

对于Server标头,在IIS6上,您可以使用Microsoft的 RLScan 工具对其进行远程管理。 Port 80 Software还生产一种名为 ServerMask 的产品,它将为您解决更多的问题。

对于IIS7(及更高版本),可以使用 RL重写模块 重写服务器标头或将其值保留为空白。在web.config(在站点或整个服务器上)中,在安装URL重写模块后添加以下内容:

<rewrite>    
  <outboundRules rewriteBeforeCache="true">
    <rule name="Remove Server header">
      <match serverVariable="RESPONSE_Server" pattern=".+" />
      <action type="Rewrite" value="" />
    </rule>
  </outboundRules>
</rewrite>

您可以根据需要将自定义值放入重写操作中。此示例来自 本文 ,它也具有其他重要信息。

对于MVC标头,请在Global.asax中:

MvcHandler.DisableMvcResponseHeader = true;

由于TechNet博客链接不再有效,已编辑11-12-2019以更新IIS7信息。

32
Justin Scott

要删除所有泄露太多信息的自定义标头,请对IIS 7)使用多种方法(不幸的是):

标题名称:X-Powered-By

加:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

在里面 <system.webServer> 部分。

标头名称:服务器

通过从PreSendRequestHeaders事件中调用Response.Headers.Remove(“ Server”),实现一个httpModule来剥离此标头。另一个资源: 将ASP.NET MVC Web应用程序隐藏在IIS 7

标头名称:X-AspNet-Version

在web.config的httpRuntime部分中-设置:

<httpRuntime enableVersionHeader="false" />

标头名称:X-AspNetMvc-Version

从global.asax中的Application_Start事件-执行以下代码(C#):

MvcHandler.DisableMvcResponseHeader = true;
58
Adam

将其放在ASP.NET应用程序的web.config文件中将摆脱X-AspNet-Version标头:

<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>

请注意,文件中应该已经存在system.web标记。不要创建重复项,只需添加httpRuntime标记。 httpRuntime标记也可能已经存在。如果是这样,只需添加该属性或设置其值(如果已经存在)。

16
squillman

刚经历了当前项目的“强化”周期- 我在博客中介绍了我们采用的方法,其中包括用于删除以下标头的HTTPModule

服务器,
X-AspNet版本,
X-AspNetMvc-Version,
X-Powered-By

相关作品转载如下:

但是没有简单的方法可以通过配置删除服务器响应标头。幸运的是,IIS7具有托管的可插拔模块基础结构,可让您轻松扩展其功能。以下是用于删除指定的HTTP响应标头列表的HttpModule的源:

namespace Zen.Core.Web.CloakIIS
{
    #region Using Directives

    using System;
    using System.Collections.Generic;
    using System.Web;

    #endregion

    /// <summary>
    /// Custom HTTP Module for Cloaking IIS7 Server Settings to allow anonymity
    /// </summary>
    public class CloakHttpHeaderModule : IHttpModule
    {
        /// <summary>
        /// List of Headers to remove
        /// </summary>
        private List<string> headersToCloak;

        /// <summary>
        /// Initializes a new instance of the <see cref="CloakHttpHeaderModule"/> class.
        /// </summary>
        public CloakHttpHeaderModule()
        {
            this.headersToCloak = new List<string>
                                      {
                                              "Server",
                                              "X-AspNet-Version",
                                              "X-AspNetMvc-Version",
                                              "X-Powered-By",
                                      };
        }

        /// <summary>
        /// Dispose the Custom HttpModule.
        /// </summary>
        public void Dispose()
        {
        }

        /// <summary>
        /// Handles the current request.
        /// </summary>
        /// <param name="context">
        /// The HttpApplication context.
        /// </param>
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += this.OnPreSendRequestHeaders;
        }

        /// <summary>
        /// Remove all headers from the HTTP Response.
        /// </summary>
        /// <param name="sender">
        /// The object raising the event
        /// </param>
        /// <param name="e">
        /// The event data.
        /// </param>
        private void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
            this.headersToCloak.ForEach(h => HttpContext.Current.Response.Headers.Remove(h));
        }
    }
}

确保您对程序集进行签名,然后可以将其安装到Web服务器的GAC中,并只需对应用程序的web.config进行以下修改(或者如果希望将其全局应用到machine.config):

<configuration>
    <system.webServer>
        <modules>
            <add name="CloakHttpHeaderModule" 
                 type="Zen.Core.Web.CloakIIS.CloakHttpHeaderModule, Zen.Core.Web.CloakIIS, 
                       Version=1.0.0.0, Culture=neutral, PublicKeyToken=<YOUR TOKEN HERE>" />
        </modules>
    </system.webServer>
</configuration>
5
HowardvanRooijen

检查 此博客 。不要使用代码删除响应头。它不稳定 Microsoft

请改用Web.config自定义标头部分:

<system.webServer>          
<httpProtocol>
    <!-- Security Hardening of HTTP response headers -->
    <customHeaders>
        <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent 
                Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
        <add name="X-Content-Type-Options" value="nosniff" />

        <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. 
                 By preventing a browser from framing your site you can defend against attacks like clickjacking. 
                 Recommended value "x-frame-options: SAMEORIGIN" -->
        <add name="X-Frame-Options" value="SAMEORIGIN" />

        <!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that 
                 they should only read the master crossdomain.xml file from the root of the website. 
                 https://www.Adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
        <add name="X-Permitted-Cross-Domain-Policies" value="master-only" />

        <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. 
                 Recommended value "X-XSS-Protection: 1; mode=block". -->
        <add name="X-Xss-Protection" value="1; mode=block" />

        <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. 
                 If you have sensitive information in your URLs, you don't want to forward to other domains 
                 https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
        <add name="Referrer-Policy" value="no-referrer-when-downgrade" />

        <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
        <remove name="X-Powered-By" />

        <!-- Ensure the cache-control is public, some browser won't set expiration without that  -->
        <add name="Cache-Control" value="public" />
    </customHeaders>
</httpProtocol>

<!-- Prerequisite for the <rewrite> section
            Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/Microsoft/url-rewrite -->
<rewrite>
    <!-- Remove Server response headers (OWASP Security Measure) -->
    <outboundRules rewriteBeforeCache="true">
        <rule name="Remove Server header">
            <match serverVariable="RESPONSE_Server" pattern=".+" />

            <!-- Use custom value for the Server info -->
            <action type="Rewrite" value="Your Custom Value Here." />
        </rule>
    </outboundRules>
</rewrite>
</system.webServer>
2
mitaka

我使用以下代码为我iis 7.5工作

protected void Application_PreSendRequestHeaders()
{
    Response.Headers.Remove("Server");
    Response.Headers.Remove("X-AspNet-Version");
    Response.Headers.Remove("X-AspNetMvc-Version");
}
1
Nasir Mahmood

我使用Web.configGlobal.asax.cs删除所有自定义标头,包括以下标头:

  • 服务器
  • X-AspNet版本
  • X-AspNetMvc版本

Web.config:

<system.web> 
  <httpRuntime enableVersionHeader="false"/> 
</system.web>
<system.webServer>
   <httpProtocol>
      <customHeaders>
         <clear />
      </customHeaders>
   </httpProtocol>
</system.webServer> 

Global.asax.cs:

protected void Application_Start() 
{ 
    MvcHandler.DisableMvcResponseHeader = true; 
}

另请参阅 https://stackoverflow.com/a/20739875/1678525

0
Jan H