How to remove ASP.Net MVC Default HTTP Headers?
Each page in an MVC application I\'m working with sets these HTTP headers in responses:
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version
-
Check this blog Don't use code to remove headers. It is unstable according Microsoft
My take on this:
<system.webServer> <httpProtocol> <!-- Security Hardening of HTTP response headers --> <customHeaders> <!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent Internet Explorer from MIME-sniffing a response away from the declared content-type. --> <add name="X-Content-Type-Options" value="nosniff" /> <!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN" --> <add name="X-Frame-Options" value="SAMEORIGIN" /> <!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that they should only read the master crossdomain.xml file from the root of the website. https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html --> <add name="X-Permitted-Cross-Domain-Policies" value="master-only" /> <!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block". --> <add name="X-Xss-Protection" value="1; mode=block" /> <!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites. If you have sensitive information in your URLs, you don't want to forward to other domains https://scotthelme.co.uk/a-new-security-header-referrer-policy/ --> <add name="Referrer-Policy" value="no-referrer-when-downgrade" /> <!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration --> <remove name="X-Powered-By" /> <!-- Ensure the cache-control is public, some browser won't set expiration without that --> <add name="Cache-Control" value="public" /> </customHeaders> </httpProtocol> <!-- Prerequisite for the <rewrite> section Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite --> <rewrite> <!-- Remove Server response headers (OWASP Security Measure) --> <outboundRules rewriteBeforeCache="true"> <rule name="Remove Server header"> <match serverVariable="RESPONSE_Server" pattern=".+" /> <!-- Use custom value for the Server info --> <action type="Rewrite" value="Your Custom Value Here." /> </rule> </outboundRules> </rewrite> </system.webServer>讨论(0) -
As shown on Removing standard server headers on Windows Azure Web Sites page, you can remove headers with the following:
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <httpProtocol> <customHeaders> <clear /> </customHeaders> </httpProtocol> <security> <requestFiltering removeServerHeader="true"/> </security> </system.webServer> <system.web> <httpRuntime enableVersionHeader="false" /> </system.web> </configuration>This removes the Server header, and the X- headers.
This worked locally in my tests in Visual Studio 2015.
讨论(0) -
As described in Cloaking your ASP.NET MVC Web Application on IIS 7, you can turn off the X-AspNet-Version header by applying the following configuration section to your web.config:
<system.web> <httpRuntime enableVersionHeader="false"/> </system.web>and remove the X-AspNetMvc-Version header by altering your Global.asax.cs as follows:
protected void Application_Start() { MvcHandler.DisableMvcResponseHeader = true; }As described in Custom Headers You can remove the "X-Powered-By" header by applying the following configuration section to your web.config:
<system.webServer> <httpProtocol> <customHeaders> <clear /> </customHeaders> </httpProtocol> </system.webServer>There is no easy way to remove the "Server" response header via configuration, but you can implement an
HttpModuleto remove specific HTTP Headers as described in Cloaking your ASP.NET MVC Web Application on IIS 7 and in how-to-remove-server-x-aspnet-version-x-aspnetmvc-version-and-x-powered-by-from-the-response-header-in-iis7.讨论(0) -
For the sake of completeness, there is another way to remove the
Serverheader, using regedit.See this MSDN blog.
Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
I'd rather find a proper solution using the Web.config, but using
<rewrite>is not good because it requires the rewrite module to be installed, and even then it won't really remove the header, just empty it.讨论(0) -
In Asp.Net Core you can edit the web.config files like so:
<httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol>You can remove the server header in the Kestrel options:
.UseKestrel(c => { // removes the server header c.AddServerHeader = false; })讨论(0) -
I found this configuration in my
web.configwhich was for aNew Web Site...created in Visual Studio (as opposed to aNew Project...). Since the question states a ASP.NET MVC application, not as relevant, but still an option.<system.webServer> <httpProtocol> <customHeaders> <clear /> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol> </system.webServer>Update: Also, Troy Hunt has an article titled Shhh… don’t let your response headers talk too loudly with detailed steps on removing these headers as well as a link to his ASafaWeb tool for scanning for them and other security configurations.
讨论(0)
加载中...
- 热议问题