发表新帖
发表新帖

Removing Server header from static content in IIS 7/8

后端 未结
关注
5 1503
走了就别回头了
走了就别回头了 2021-02-01 15:53

As part of an effort to make our API and site more secure, I\'m removing headers that leak information about what the site is running.

Example before stripping headers:<

相关标签:
5条回答
  • 一向
    2021-02-01 16:10

    The same way that's in this answer, and in this website:, you should use the following steps:

    C#:

    namespace MvcExtensions.Infrastructure
{
    public class CustomServerName : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += OnPreSendRequestHeaders;
        }

        public void Dispose() { }

        void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
            HttpContext.Current.Response.Headers.Remove("Server");
        }
    }
}

    Web.config:

    <system.webServer>
   <modules>
      <add name="CustomHeaderModule" type="MvcExtensions.Infrastructure.CustomServerName" />
   </modules>
</system.webServer>
    0 讨论(0)
  • 渐次进展
    2021-02-01 16:10

    The only one without an easy listed solution for was the "Server" header. I was able to remove it locally in IIS and in an Azure web site by adding this in the web.config

    <system.webServer>
  <security>
    <requestFiltering removeServerHeader="true" />
  </security>
</system.webServer>
    0 讨论(0)
  • 余生分开走
    2021-02-01 16:12

    Unfortunately managed code modules only work for code passing through the ASP.NET pipeline, whilst others have correctly suggested it is possible to force all requests through managed code, I personally feel this is less than desirable.

    In order to remove headers from all requests, including static content, which by default is served directly and not through managed code, it is possible to use a Native-Code module. Unfortunately Native-Code modules are a little more difficult to write as they use the win32 APIs rather than ASP.NET, however in my experience they are much more suitable to removing headers.

    The following link has binaries and source code for a Native-Code module that can be used to remove headers. It requires no extra configuration to remove the "Server" headers, but other headers to remove can be added in the IIS configuration.

    http://www.dionach.com/blog/easily-remove-unwanted-http-headers-in-iis-70-to-85

    0 讨论(0)
  • 盖世英雄少女心
    2021-02-01 16:26

    You should be able to force all requests to go through your managed code by adding this to your webconfig:

    <modules runAllManagedModulesForAllRequests="true">

    Then, even static files should adhere to your header rules.

    0 讨论(0)
  • 盖世英雄少女心
    2021-02-01 16:30

    Use the IIS UrlRewrite 2.0 for blanking the Server response header. Add following code in the Web.config file

     <system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove RESPONSE_Server" >
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>

    https://stackoverflow.com/a/12615970/5810078

    0 讨论(0)
 看不清?
提交回复
热议问题