发表新帖
发表新帖

How to delete IIS custom headers like X-Powered-By: ASP.NET from response?

后端 未结
关注
7 1653
小鲜肉
小鲜肉 2021-02-01 13:19

In IIS 7.0 integrated mode after deleting all headers with Response.ClearHeaders() IIS would add some other headers like Server

相关标签:
7条回答
  • 盖世英雄少女心
    2021-02-01 13:41

    The following answer includes a complete solution that does not require URLScan or a custom HttpModule, and removes all the related headers you mention. It also works on Azure.

    Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan

    0 讨论(0)
  • 野趣味
    2021-02-01 13:43

    For IIS7+ integrated mode, eth0 has it: <customHeaders> tag in web.config. Thanks for that. As for the "Server" header, if using MVC, you can simply add:

        protected void Application_PreSendRequestHeaders()
    {
        Response.Headers.Remove("Server");
    }

    to your MvcApplication class in Global.asax. Otherwise, you can simply add a custom Http Module, handling the PreSendRequestHeaders event, and do the same thing.

    0 讨论(0)
  • 日久生厌
    2021-02-01 13:45

    Would like to add here that for the ASP.NET Core versions where there is no longer a web.config file a different approach is necessary.

    I made the following adjustments to remove the headers in ASP.NET Core 2.1:

    You can remove the x-powered-by header by replacing 

    <customHeaders>
        <clear />
        <add name="X-Powered-By" value="ASP.NET" />
</customHeaders>

    with

    <customHeaders>
        <remove name="X-Powered-By" />
</customHeaders>

    in the applicationhost.config file found in the .vs\config folder of the project.

    The server header can be removed by adding 

    .UseKestrel(c => c.AddServerHeader = false)

    in the Program.cs file.

    0 讨论(0)
  • 醉话见心
    2021-02-01 13:46

    You can add this to your Web.Config:

    <system.webServer>
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

    Update: if you're using the MVC framework I would also recommend removing the X-AspNetMvc-Version and X-AspNet-Version headers as well. This is accomplished by setting MvcHandler.DisableMvcResponseHeader = true in your Global.asax file and <system.web><httpRuntime enableVersionHeader="false" /></system.web> in your Web.config respectively.

    0 讨论(0)
  • 悲哀的现实
    2021-02-01 13:49

    URLScan can be used to remove server header, or configure another server header, http://learn.iis.net/page.aspx/938/urlscan-3-reference/

    But it never really prevents a hacker to know what you use in fact. There are obviously other ways to detect your server information.

    0 讨论(0)
  • 我寻月下人不归
    2021-02-01 13:57

    The X-Powered-By is configured within IIS. On Windows 7 it's specifically:

    1. IIS Manager
    2. COMPUTER NAME > Sites > Default Web Site
    3. HTTP Respons Headers
    4. Remove X-Powered-By

    I'm not sure what generates the Server header though.

    0 讨论(0)
 看不清?
提交回复
热议问题