当前位置: 文江博客 话题详情

如何删除 ASP.Net MVC 默认 HTTP 标头?

发布于 2024-09-13 02:12:22 字数 168 浏览 2 评论 0 原文

我正在使用的 MVC 应用程序中的每个页面都会在响应中设置这些 HTTP 标头:

X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0

如何防止显示这些标头?

原文

Each page in an MVC application I'm working with sets these HTTP headers in responses:

X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0

How do I prevent these from showing?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(12

久隐师 2024-09-20 02:12:23

我在我的 web.config 中找到了此配置,该配置用于在 Visual Studio 中创建的 New Web Site...(而不是 New Project... )。由于问题陈述了 ASP.NET MVC 应用程序,因此不那么相关,但仍然是一个选项。

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <clear />
      <remove name="X-Powered-By" />
    </customHeaders>
   </httpProtocol>
</system.webServer>

更新:另外,Troy Hunt 有一篇标题为 嘘……不要让您的响应标头说话太大声,其中包含删除这些标头的详细步骤以及指向他的 ASafaWeb 的链接> 用于扫描它们和其他安全配置的工具。

I found this configuration in my web.config which was for a New Web Site... created in Visual Studio (as opposed to a New Project...). Since the question states a ASP.NET MVC application, not as relevant, but still an option.

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <clear />
      <remove name="X-Powered-By" />
    </customHeaders>
   </httpProtocol>
</system.webServer>

Update: Also, Troy Hunt has an article titled Shhh… don’t let your response headers talk too loudly with detailed steps on removing these headers as well as a link to his ASafaWeb tool for scanning for them and other security configurations.

回复 原文
故事还在继续 2024-09-20 02:12:23

.NET Core

要删除 Server 标头,请在 Program.cs 文件中添加以下选项:

.UseKestrel(opt => opt.AddServerHeader = false)

对于 dot net core 1,请在 .UseKestrel( ) 称呼。对于 dot net core 2,在 UseStartup() 之后添加这一行。

要删除 X-Powered-By 标头(如果部署到 IIS),请编辑 web.config 并在 system.webServer 标记内添加以下部分:

<httpProtocol>
    <customHeaders>
        <remove name="X-Powered-By" />
    </customHeaders>
</httpProtocol>

.NET 4.5.2

要删除 Server 标头,请在 global.asax 文件中添加以下内容:

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        string[] headers = { "Server", "X-AspNet-Version" };

        if (!Response.HeadersWritten)
        {
            Response.AddOnSendingHeaders((c) =>
            {
                if (c != null && c.Response != null && c.Response.Headers != null)
                {
                    foreach (string header in headers)
                    {
                        if (c.Response.Headers[header] != null)
                        {
                            c.Response.Headers.Remove(header);
                        }
                    }
                }
            });
        }

    }

.NET 4.5.2 之前的版本

将以下 c# 类添加到您的项目中:

public class RemoveServerHeaderModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    }

    public void Dispose() { }

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        HttpContext.Current.Response.Headers.Remove("Server");
    }
}

然后在 web.config 中添加以下 :部分:

<system.webServer>
    ....
 <modules>
    <add name="RemoveServerHeaderModule" type="MyNamespace.RemoveServerHeaderModule" />
 </modules>

但是我遇到了一个问题,子项目找不到这个模块。不好玩。

删除 X-AspNetMvc-Version 标头

要删除任何版本的 .NET 的“X-AspNetMvc-Version”标签,请修改您的“web.config”文件以包含:

<system.web>
...
   <httpRuntime enableVersionHeader="false" />
...
</system.web>

感谢 Microsoft 使这变得难以置信的困难。或者也许这就是您的意图,以便您可以跟踪世界各地的 IIS 和 MVC 安装...

.NET Core

To remove the Server header, within the Program.cs file, add the following option:

.UseKestrel(opt => opt.AddServerHeader = false)

For dot net core 1, put add the option inside the .UseKestrel() call. For dot net core 2, add the line after UseStartup().

To remove X-Powered-By header, if deployed to IIS, edit your web.config and add the following section inside the system.webServer tag:

<httpProtocol>
    <customHeaders>
        <remove name="X-Powered-By" />
    </customHeaders>
</httpProtocol>

.NET 4.5.2

To remove the Server header, within your global.asax file add the following:

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        string[] headers = { "Server", "X-AspNet-Version" };

        if (!Response.HeadersWritten)
        {
            Response.AddOnSendingHeaders((c) =>
            {
                if (c != null && c.Response != null && c.Response.Headers != null)
                {
                    foreach (string header in headers)
                    {
                        if (c.Response.Headers[header] != null)
                        {
                            c.Response.Headers.Remove(header);
                        }
                    }
                }
            });
        }

    }

Pre .NET 4.5.2

Add the following c# class to your project:

public class RemoveServerHeaderModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    }

    public void Dispose() { }

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        HttpContext.Current.Response.Headers.Remove("Server");
    }
}

and then within your web.config add the following <modules> section:

<system.webServer>
    ....
 <modules>
    <add name="RemoveServerHeaderModule" type="MyNamespace.RemoveServerHeaderModule" />
 </modules>

However I had a problem where sub-projects couldn't find this module. Not fun.

Removing X-AspNetMvc-Version header

To remove the ''X-AspNetMvc-Version'' tag, for any version of .NET, modify your ''web.config'' file to include:

<system.web>
...
   <httpRuntime enableVersionHeader="false" />
...
</system.web>

Thanks Microsoft for making this unbelievably difficult. Or maybe that was your intention so that you could track IIS and MVC installs across the world ...

回复 原文
雨后彩虹 2024-09-20 02:12:23

在 IIS 7 上隐藏 ASP.NET MVC Web 应用程序,您可以通过将以下配置部分应用到 web.config 来关闭 X-AspNet-Version 标头:

<system.web> 
  <httpRuntime enableVersionHeader="false"/> 
</system.web>

并通过以下方式删除 X-AspNetMvc-Version 标头 :更改 Global.asax.cs 如下:

protected void Application_Start() 
{ 
    MvcHandler.DisableMvcResponseHeader = true; 
}

自定义标头中所述,您可以删除“通过将以下配置部分应用到您的 web.config,

<system.webServer>
   <httpProtocol>
      <customHeaders>
         <clear />
      </customHeaders>
   </httpProtocol>
</system.webServer>

没有简单的方法可以通过配置删除“Server”响应标头,但您可以实现一个 HttpModule 来删除特定 HTTP 标头,如 在 IIS 7如何删除-server-x-aspnet-version-x-aspnetmvc- version-and-x-powered-by-from-the-response-header-in-iis7

As described in Cloaking your ASP.NET MVC Web Application on IIS 7, you can turn off the X-AspNet-Version header by applying the following configuration section to your web.config:

<system.web> 
  <httpRuntime enableVersionHeader="false"/> 
</system.web>

and remove the X-AspNetMvc-Version header by altering your Global.asax.cs as follows:

protected void Application_Start() 
{ 
    MvcHandler.DisableMvcResponseHeader = true; 
}

As described in Custom Headers You can remove the "X-Powered-By" header by applying the following configuration section to your web.config:

<system.webServer>
   <httpProtocol>
      <customHeaders>
         <clear />
      </customHeaders>
   </httpProtocol>
</system.webServer>

There is no easy way to remove the "Server" response header via configuration, but you can implement an HttpModule to remove specific HTTP Headers as described in Cloaking your ASP.NET MVC Web Application on IIS 7 and in how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7.

回复 原文
蓝咒 2024-09-20 02:12:23

删除 Windows Azure 网站上的标准服务器标头页面,您可以使用以下内容删除标头:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <clear />
      </customHeaders>
    </httpProtocol>
    <security>
      <requestFiltering removeServerHeader="true"/>
    </security>
  </system.webServer>
  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>
</configuration>

这将删除服务器标头和 X- 标头。

这在我的 Visual Studio 2015 测试中在本地有效。

其他参考:

As shown on Removing standard server headers on Windows Azure Web Sites page, you can remove headers with the following:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <clear />
      </customHeaders>
    </httpProtocol>
    <security>
      <requestFiltering removeServerHeader="true"/>
    </security>
  </system.webServer>
  <system.web>
    <httpRuntime enableVersionHeader="false" />
  </system.web>
</configuration>

This removes the Server header, and the X- headers.

This worked locally in my tests in Visual Studio 2015.

Additional References:

回复 原文
a√萤火虫的光℡ 2024-09-20 02:12:23

在 Asp.Net Core 中,您可以像这样编辑 web.config 文件:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

您可以在 Kestrel 选项中删除服务器标头:

            .UseKestrel(c =>
            {
                // removes the server header
                c.AddServerHeader = false;
            })

In Asp.Net Core you can edit the web.config files like so:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

You can remove the server header in the Kestrel options:

            .UseKestrel(c =>
            {
                // removes the server header
                c.AddServerHeader = false;
            })
回复 原文
相守太难 2024-09-20 02:12:23

检查 此博客
不要使用代码来删除标头。根据 Microsoft

我对此的看法:

<system.webServer>          
    <httpProtocol>
    <!-- Security Hardening of HTTP response headers -->
    <customHeaders>
        <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent 
                Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
        <add name="X-Content-Type-Options" value="nosniff" />

        <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. 
                 By preventing a browser from framing your site you can defend against attacks like clickjacking. 
                 Recommended value "x-frame-options: SAMEORIGIN" -->
        <add name="X-Frame-Options" value="SAMEORIGIN" />

        <!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that 
                 they should only read the master crossdomain.xml file from the root of the website. 
                 https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
        <add name="X-Permitted-Cross-Domain-Policies" value="master-only" />

        <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. 
                 Recommended value "X-XSS-Protection: 1; mode=block". -->
        <add name="X-Xss-Protection" value="1; mode=block" />

        <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. 
                 If you have sensitive information in your URLs, you don't want to forward to other domains 
                 https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
        <add name="Referrer-Policy" value="no-referrer-when-downgrade" />

        <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
        <remove name="X-Powered-By" />

        <!-- Ensure the cache-control is public, some browser won't set expiration without that  -->
        <add name="Cache-Control" value="public" />
    </customHeaders>
</httpProtocol>

<!-- Prerequisite for the <rewrite> section
            Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
    <!-- Remove Server response headers (OWASP Security Measure) -->
    <outboundRules rewriteBeforeCache="true">
        <rule name="Remove Server header">
            <match serverVariable="RESPONSE_Server" pattern=".+" />

            <!-- Use custom value for the Server info -->
            <action type="Rewrite" value="Your Custom Value Here." />
        </rule>
    </outboundRules>
</rewrite>
</system.webServer>

Check this blog
Don't use code to remove headers. It is unstable according Microsoft

My take on this:

<system.webServer>          
    <httpProtocol>
    <!-- Security Hardening of HTTP response headers -->
    <customHeaders>
        <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent 
                Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
        <add name="X-Content-Type-Options" value="nosniff" />

        <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. 
                 By preventing a browser from framing your site you can defend against attacks like clickjacking. 
                 Recommended value "x-frame-options: SAMEORIGIN" -->
        <add name="X-Frame-Options" value="SAMEORIGIN" />

        <!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that 
                 they should only read the master crossdomain.xml file from the root of the website. 
                 https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
        <add name="X-Permitted-Cross-Domain-Policies" value="master-only" />

        <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. 
                 Recommended value "X-XSS-Protection: 1; mode=block". -->
        <add name="X-Xss-Protection" value="1; mode=block" />

        <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. 
                 If you have sensitive information in your URLs, you don't want to forward to other domains 
                 https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
        <add name="Referrer-Policy" value="no-referrer-when-downgrade" />

        <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
        <remove name="X-Powered-By" />

        <!-- Ensure the cache-control is public, some browser won't set expiration without that  -->
        <add name="Cache-Control" value="public" />
    </customHeaders>
</httpProtocol>

<!-- Prerequisite for the <rewrite> section
            Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
    <!-- Remove Server response headers (OWASP Security Measure) -->
    <outboundRules rewriteBeforeCache="true">
        <rule name="Remove Server header">
            <match serverVariable="RESPONSE_Server" pattern=".+" />

            <!-- Use custom value for the Server info -->
            <action type="Rewrite" value="Your Custom Value Here." />
        </rule>
    </outboundRules>
</rewrite>
</system.webServer>
回复 原文
情绪失控 2024-09-20 02:12:23

为了完整起见,还有另一种方法可以删除 Server 标头,即使用 regedit。

查看此 MSDN 博客

在以下注册表项中创建一个名为“DisableServerHeader”的 DWORD 条目,并将值设置为 1。

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

我宁愿使用 Web.config 找到正确的解决方案,但使用 < rewrite> 不好,因为它需要安装重写模块,即使这样它也不会真正删除标头,只是清空它。

For the sake of completeness, there is another way to remove the Server header, using regedit.

See this MSDN blog.

Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.

HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

I'd rather find a proper solution using the Web.config, but using <rewrite> is not good because it requires the rewrite module to be installed, and even then it won't really remove the header, just empty it.

回复 原文
走过海棠暮 2024-09-20 02:12:23

您可以更改 Application_EndRequest() 中的任何标头或任何内容,试试这个

protected void Application_EndRequest()
{
    // removing excessive headers. They don't need to see this.
    Response.Headers.Remove("header_name");
}

You can change any header or anything in Application_EndRequest() try this

protected void Application_EndRequest()
{
    // removing excessive headers. They don't need to see this.
    Response.Headers.Remove("header_name");
}
回复 原文
寒冷纷飞旳雪 2024-09-20 02:12:23

X-Powered-By 标头由 IIS 添加到 HTTP 响应中,因此您甚至可以通过 IIS 管理器在服务器级别删除它:

您可以直接使用 web.config:

<system.webServer>
   <httpProtocol>
     <customHeaders>
       <remove name="X-Powered-By" />
     </customHeaders>
   </httpProtocol>
</system.webServer>

The X-Powered-By header is added by IIS to the HTTP response, so you can remove it even on server level via IIS Manager:

You can use the web.config directly:

<system.webServer>
   <httpProtocol>
     <customHeaders>
       <remove name="X-Powered-By" />
     </customHeaders>
   </httpProtocol>
</system.webServer>
回复 原文
人疚 2024-09-20 02:12:23

这些说明仅适用于 IIS 10.0。

  1. 打开位于 Orion 网站根目录中的 web.config 文件。

  2. 在 web.config system.webServer 节点中配置 requestFiltering:

    <前><代码>
    <安全>
    />

  3. 保存文件并重新启动 IIS 应用程序。

完整代码,删除以下内容:

  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

These directions apply to IIS 10.0 only.

  1. Open the web.config file located in the root directory for the Orion website.

  2. Configure requestFiltering in the web.config system.webServer node:

    
<security>
    <requestFiltering removeServerHeader ="true" />
</security>

  3. Save the file and restart your IIS app.

Full code with Powered By removing:

  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
回复 原文
世态炎凉 2024-09-20 02:12:22

X-Powered-By 是 IIS 中的自定义标头。从 IIS 7 开始,您可以通过将以下内容添加到 web.config 中来删除它:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

此标头也可以根据您的需要进行修改,有关详细信息,请参阅 http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders

将其添加到 web.config 删除 X-AspNet-Version 标头:

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

最后,要删除 X-AspNetMvc-Version,请编辑 Global.asax .cs 并在 Application_Start 事件中添加以下内容:

protected void Application_Start()
{
    MvcHandler.DisableMvcResponseHeader = true;
}

您还可以通过 Global.asax.cs< 中的 Application_PreSendRequestHeaders 事件在运行时修改标头/代码>。如果您的标头值是动态的,这非常有用:

protected void Application_PreSendRequestHeaders(object source, EventArgs e)
{
      Response.Headers.Remove("foo");
      Response.Headers.Add("bar", "quux");
}

X-Powered-By is a custom header in IIS. Since IIS 7, you can remove it by adding the following to your web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders

Add this to web.config to get rid of the X-AspNet-Version header:

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

Finally, to remove X-AspNetMvc-Version, edit Global.asax.cs and add the following in the Application_Start event:

protected void Application_Start()
{
    MvcHandler.DisableMvcResponseHeader = true;
}

You can also modify headers at runtime via the Application_PreSendRequestHeaders event in Global.asax.cs. This is useful if your header values are dynamic:

protected void Application_PreSendRequestHeaders(object source, EventArgs e)
{
      Response.Headers.Remove("foo");
      Response.Headers.Add("bar", "quux");
}
回复 原文
末が日狂欢 2024-09-20 02:12:22

您还可以通过将代码添加到 global.asax 文件中来删除它们:

 protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
   HttpContext.Current.Response.Headers.Remove("X-Powered-By");
   HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
   HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
   HttpContext.Current.Response.Headers.Remove("Server");
 }

You can also remove them by adding code to your global.asax file:

 protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
 {
   HttpContext.Current.Response.Headers.Remove("X-Powered-By");
   HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
   HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
   HttpContext.Current.Response.Headers.Remove("Server");
 }
回复 原文
~没有更多了~

关于作者

绝對不後悔。

暂无简介

0 文章
0 评论
21 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

qq_FjTq5B

文章 0 评论 0

18273202778

文章 0 评论 0

WordPress小学生

文章 0 评论 0

〃温暖了心ぐ

文章 0 评论 0

迷乱花海

文章 0 评论 0

niuniu

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文