How to remove ASP.Net MVC Default HTTP Headers?
回答1
X-Powered-By is a custom header in IIS. Since IIS 7, you can remove it by adding the following to your web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
This header can also be modified to your needs, for more information refer to http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders
Add this to web.config to get rid of the X-AspNet-Version header:
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
Finally, to remove X-AspNetMvc-Version, edit Global.asax.cs and add the following in the Application_Start event:
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
You can also modify headers at runtime via the Application_PreSendRequestHeaders event in Global.asax.cs. This is useful if your header values are dynamic:
protected void Application_PreSendRequestHeaders(object source, EventArgs e)
{
Response.Headers.Remove("foo");
Response.Headers.Add("bar", "quux");
}
回答2
You can also remove them by adding code to your global.asax file:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("X-Powered-By");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
HttpContext.Current.Response.Headers.Remove("Server");
}回答4和回答2,可以参考一起,把回答2里面的具体代码迁移一下
You can change any header or anything in Application_EndRequest() try this
protected void Application_EndRequest()
{
// removing excessive headers. They don't need to see this.
Response.Headers.Remove("header_name");
}
这个不行,在出错的时候,不会移除Server。但是放在Application_PreSendRequestHeaders里面就可以正常移除。
回答3
Check this blog Don't use code to remove headers. It is unstable according Microsoft
My take on this:
<system.webServer> <httpProtocol> <!-- Security Hardening of HTTP response headers --> <customHeaders> <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type. --> <add name="X-Content-Type-Options" value="nosniff" /> <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN" --> <add name="X-Frame-Options" value="SAMEORIGIN" /> <!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that they should only read the master crossdomain.xml file from the root of the website. https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html --> <add name="X-Permitted-Cross-Domain-Policies" value="master-only" /> <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block". --> <add name="X-Xss-Protection" value="1; mode=block" /> <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. If you have sensitive information in your URLs, you don't want to forward to other domains https://scotthelme.co.uk/a-new-security-header-referrer-policy/ --> <add name="Referrer-Policy" value="no-referrer-when-downgrade" /> <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration --> <remove name="X-Powered-By" /> <!-- Ensure the cache-control is public, some browser won't set expiration without that --> <add name="Cache-Control" value="public" /> </customHeaders> </httpProtocol> <!-- Prerequisite for the <rewrite> section Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite --> <rewrite> <!-- Remove Server response headers (OWASP Security Measure) --> <outboundRules rewriteBeforeCache="true"> <rule name="Remove Server header"> <match serverVariable="RESPONSE_Server" pattern=".+" /> <!-- Use custom value for the Server info --> <action type="Rewrite" value="Your Custom Value Here." /> </rule> </outboundRules> </rewrite> </system.webServer>
https://www.veggiespam.com/bad-headers/#microsoft
https://docs.microsoft.com/en-us/aspnet/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet-and-what-to-do-instead#presend
PreSendRequestHeaders and PreSendRequestContent
Recommendation: Do not use these events with managed modules. Instead, write a native IIS module to perform the required task. See Creating Native-Code HTTP Modules.
You can use the PreSendRequestHeaders and PreSendRequestContent events with native IIS modules.
Warning
Do not use PreSendRequestHeaders and PreSendRequestContent with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The combination of Application Requested Routing (ARR) and websockets might lead to access violation exceptions that can cause w3wp to crash. For example, iiscore!W3_CONTEXT_BASE::GetIsLastNotification+68 in iiscore.dll has caused an access violation exception (0xC0000005).
HttpApplication.PreSendRequestHeaders Event
Warning
Do not use PreSendRequestHeaders with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The combination of Application Requested Routing (ARR) and websockets might lead to access violation exceptions that can cause w3wp to crash. For example, iiscore!W3_CONTEXT_BASE::GetIsLastNotification+68 in iiscore.dll has caused an access violation exception (0xC0000005).
HttpApplication.PreSendRequestContent Event
Warning
Do not use PreSendRequestContent with managed modules that implement IHttpModule. Setting these properties can cause issues with asynchronous requests. The combination of Application Requested Routing (ARR) and websockets might lead to access violation exceptions that can cause w3wp to crash. For example, iiscore!W3_CONTEXT_BASE::GetIsLastNotification+68 in iiscore.dll has caused an access violation exception (0xC0000005).