penetration-testing

Removing/Hiding/Disabling excessive HTTP response headers in Azure/IIS7 without UrlScan

喜你入骨 提交于 2019-11-26 07:55:32
问题 I need to remove excessive headers (primarily to pass penetration testing). I have spent time looking at solutions that involve running UrlScan, but these are cumbersome as UrlScan needs to be installed each time an Azure instance is started. There must be a good solution for Azure that does not involve deploying installers from startup.cmd. I understand that the response headers are added in different places: Server : added by IIS. X-AspNet-Version : added by System.Web.dll at the time of

What is “X-Content-Type-Options=nosniff”?

£可爱£侵袭症+ 提交于 2019-11-26 04:32:12
问题 I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to \'nosniff\' This check is specific to Internet Explorer 8 and Google Chrome. Ensure each page sets a Content-Type header and the X-CONTENT-TYPE-OPTIONS if the Content-Type header is unknown I have no idea what this means, and I couldn\'t find anything online. I have tried adding: <meta content=\"text/html; charset=UTF-8; X