zoukankan      html  css  js  c++  java

  • Asp.net移除Server, XPoweredBy, 和XAspNetVersion头

            我们在开发Asp.net中,最后部署在IIS上. 然后发送HTTP请求,返回的HTTP头中包含Server, X-Powered-By, 和 X-AspNet-Version信息. 这些信息有时给攻击者找寻你的站点漏洞提供的依据. 如下图我们通过FireBug查看到:

    2011-08-07_header

            移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:

     <httpRuntime enableVersionHeader="false" />

             移除Server呢, 我们可以写一个自定义HttpModule,看下来代码:

       1:  namespace MyWeb
       2:  {
       3:      public class RemoveServerInfoModule: IHttpModule
       4:      {
       5:          #region IHttpModule Members
       6:   
       7:          public void Dispose(){
       8:              //no code nescessary
       9:          }
      10:          
      11:          public void Init(HttpApplication context)
      12:          {
      13:              context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);
      14:          }
      15:   
      16:          void context_PreSendRequestHeaders(object sender, EventArgs e)
      17:          {
      18:              // strip the "Server" header from the current Response 
      19:              HttpContext.Current.Response.Headers.Remove("Server");
      20:          }
      21:   
      22:          #endregion
      23:      }
      24:  }

             上面这段代码会arise exceptioin,我们最好这样实现PreSendRequestHeaders方法:

       1:          void context_PreSendRequestHeaders(object sender, EventArgs e)
       2:          {
       3:              try
       4:              {
       5:                  HttpApplication app = sender as HttpApplication;
       6:                  if (null != app && null != app.Request && !app.Request.IsLocal && null != app.Context && null != app.Context.Response)
       7:                  {
       8:                      var headers = app.Context.Response.Headers;
       9:                      if (null != headers)
      10:                      {
      11:                          headers.Remove("Server");
      12:                      }
      13:                  }
      14:              }
      15:              catch (Exception ex)
      16:              {
      17:                  Log.HandleException(ex);
      18:              }
      19:          }

             最后在Web.config中配置这个HttpModule:

        <httpModules>
          <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
        </httpModules>

      For IIS 7:

      <system.webServer>
        <modules runAllManagedModulesForAllRequests="true" >
          <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
        </modules>
      </system.webServer

           这样就OK了, 你再运行Asp.net web application时, Server,X-AspNet-Version等信息已经不显示了.

           希望对您开发,有帮助.


    作者:Petter Liu
    出处:http://www.cnblogs.com/wintersun/
    本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。
    该文章也同时发布在我的独立博客中-Petter Liu Blog
  • 相关阅读:
    autocomplete自动完成搜索提示仿google提示效果
    实现子元素相对于父元素左右居中
    javascript 事件知识集锦
    让 IE9 以下的浏览器支持 Media Queries
    「2013124」Cadence ic5141 installation on CentOS 5.5 x86_64 (limited to personal use)
    「2013420」SciPy, Numerical Python, matplotlib, Enthought Canopy Express
    「2013324」ClipSync, Youdao Note, GNote
    「2013124」XDMCP Configuration for Remote Access to Linux Desktop
    「2013115」Pomodoro, Convert Multiple CD ISO to One DVD ISO HowTo.
    「2013123」CentOS 5.5 x86_64 Installation and Configuration (for Univ. Labs)
  • 原文地址:https://www.cnblogs.com/wintersun/p/2129942.html
Copyright © 2011-2022 走看看