默认情况下,每一个MVC请求的HTTP Header中都会包含着当前服务器的一些信息,出于安全还是性能还是处女座的强迫症等等,都想把这些信息移除掉,增加一些应用程序的神秘感,如下,默认情况下Chrome中截获的HTTP Header信息:
Cache-Control:private, s-maxage=0 Content-Encoding:gzip Content-Length:1184 Content-Type:text/html; charset=utf-8 Date:Sun, 08 Oct 2017 05:01:37 GMT Server:Microsoft-IIS/10.0 Vary:Accept-Encoding X-AspNet-Version:4.0.30319 X-AspNetMvc-Version:5.2 X-Powered-By:ASP.NET X-SourceFiles:=?UTF-8?B?RTpcV29ya1xUaWFuTG9uZ1xMUS5NVkNBZG1pblxNYW5hZ2VyXEVxdWlwbWVudHM=?=
接下来,一步一步的移除其中的一些信息,本文环境为.NET Framework 4.5、MVC 5、IIS 10,测试有效。
移除X-AspNetMvc-Version
在Global.asax.cs中添加如下代码:
protected void Application_Start() { //屏蔽浏览器中的ASP.NET版本 MvcHandler.DisableMvcResponseHeader = true; AreaRegistration.RegisterAllAreas(); GlobalConfiguration.Configure(WebApiConfig.Register); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); }
效果如下:
Cache-Control:private, s-maxage=0 Content-Encoding:gzip Content-Length:1184 Content-Type:text/html; charset=utf-8 Date:Sun, 08 Oct 2017 05:03:57 GMT Server:Microsoft-IIS/10.0 Vary:Accept-Encoding X-AspNet-Version:4.0.30319 X-Powered-By:ASP.NET X-SourceFiles:=?UTF-8?B?RTpcV29ya1xUaWFuTG9uZ1xMUS5NVkNBZG1pblxNYW5hZ2VyXEVxdWlwbWVudHM=?=
移除X-AspNet-Version
在config中添加如下代码:
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" enableVersionHeader="false"/>
</system.web>效果如下:
Cache-Control:private, s-maxage=0 Content-Encoding:gzip Content-Length:1184 Content-Type:text/html; charset=utf-8 Date:Sun, 08 Oct 2017 03:46:23 GMT
Vary:Accept-Encoding Server:Microsoft-IIS/10.0 X-Powered-By:ASP.NET X-SourceFiles:=?UTF-8?B?RTpcV29ya1xUaWFuTG9uZ1xMUS5NVkNBZG1pblxNYW5hZ2VyXEVxdWlwbWVudHM=?=
移除Server
既可以移除同时也可以修改Server信息,也可以实现上面两个信息的移除,在Global.asax.cs文件中添加如下代码
protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { HttpApplication app = sender as HttpApplication; if (app != null && app.Context != null) { //移除Server app.Context.Response.Headers.Remove("Server");
//修改Server的值 //app.Context.Response.Headers.Set("Server", "MyPreciousServer"); //移除X-AspNet-Version,和上面效果一样 app.Context.Response.Headers.Remove("X-AspNet-Version"); //移除X-AspNetMvc-Version,和上面效果一样 app.Context.Response.Headers.Remove("X-AspNetMvc-Version"); } }
效果如下:
Cache-Control:private, s-maxage=0 Content-Encoding:gzip Content-Length:1184 Content-Type:text/html; charset=utf-8 Date:Sun, 08 Oct 2017 05:25:00 GMT Vary:Accept-Encoding X-Powered-By:ASP.NET X-SourceFiles:=?UTF-8?B?RTpcV29ya1xUaWFuTG9uZ1xMUS5NVkNBZG1pblxNYW5hZ2VyXEVxdWlwbWVudHM=?=
移除X-Powered-By
在webconfig中添加配置项:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>移除效果如下:
Cache-Control:private, s-maxage=0 Content-Encoding:gzip Content-Length:1184 Content-Type:text/html; charset=utf-8 Date:Sun, 08 Oct 2017 05:29:05 GMT Vary:Accept-Encoding