如何从 Azure Web-Apps 中删除过多的响应 header 信息?
How can I remove excessive response header information from Azure Web-Apps?
我有一个部署在 Azure 上的 MVC 项目 Web-Apps。我正在尝试删除过多的 header 信息。我试图删除此信息的原因是因为这是一种标准的安全做法。 (Reference)
我正在尝试从响应中删除以下信息 headers:
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-POWERED-BY: PHP/5.4.38
X-POWERED-BY: ASP.NET
我的 Global.asax.cs 文件中有以下代码:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
但这并没有影响结果。
试试这个:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}
另外,在Application_Start中用下面的指令调用它
PreSendRequestHeaders += Application_PreSendRequestHeaders;
要删除 X-AspNet-Version,请在 web.config find/create 中添加:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
</system.web>
要删除 X-AspNetMvc-Version,转到 Global.asax,find/create Application_Start 事件并添加一行,如下所示:
protected void Application_Start() {
MvcHandler.DisableMvcResponseHeader = true;
}
要删除 X-Powered-By,请在 web.config find/create 中添加:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
您应该能够通过将此添加到您的 webconfig 来强制所有请求通过您的托管代码:
<modules runAllManagedModulesForAllRequests="true">
即使是静态文件和 not-found 资源也应该遵守您的 header 规则。
参考文献:
不要使用代码删除响应 headers。根据 Microsoft
不稳定
使用 Web.config 自定义 Headers 部分代替定义 here:
<system.webServer>
<httpProtocol>
<!-- Security Hardening of HTTP response headers -->
<customHeaders>
<!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent
Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
By preventing a browser from framing your site you can defend against attacks like clickjacking.
Recommended value "x-frame-options: SAMEORIGIN" -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that
they should only read the master crossdomain.xml file from the root of the website.
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
Recommended value "X-XSS-Protection: 1; mode=block". -->
<add name="X-Xss-Protection" value="1; mode=block" />
<!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
If you have sensitive information in your URLs, you don't want to forward to other domains
https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
<add name="Referrer-Policy" value="no-referrer-when-downgrade" />
<!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
<remove name="X-Powered-By" />
<!-- Set the cache-control per your Security settings (will affect performance) -->
<add name="Cache-Control" value="No-cache" />
</customHeaders>
</httpProtocol>
<!-- Prerequisite for the <rewrite> section
Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
<!-- Remove Server response headers (OWASP Security Measure) -->
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<!-- Use custom value for the Server info -->
<action type="Rewrite" value="Your Custom Value Here." />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
我有一个部署在 Azure 上的 MVC 项目 Web-Apps。我正在尝试删除过多的 header 信息。我试图删除此信息的原因是因为这是一种标准的安全做法。 (Reference)
我正在尝试从响应中删除以下信息 headers:
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-POWERED-BY: PHP/5.4.38
X-POWERED-BY: ASP.NET
我的 Global.asax.cs 文件中有以下代码:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
但这并没有影响结果。
试试这个:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}
另外,在Application_Start中用下面的指令调用它
PreSendRequestHeaders += Application_PreSendRequestHeaders;
要删除 X-AspNet-Version,请在 web.config find/create 中添加:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
</system.web>
要删除 X-AspNetMvc-Version,转到 Global.asax,find/create Application_Start 事件并添加一行,如下所示:
protected void Application_Start() {
MvcHandler.DisableMvcResponseHeader = true;
}
要删除 X-Powered-By,请在 web.config find/create 中添加:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
您应该能够通过将此添加到您的 webconfig 来强制所有请求通过您的托管代码:
<modules runAllManagedModulesForAllRequests="true">
即使是静态文件和 not-found 资源也应该遵守您的 header 规则。
参考文献:
不要使用代码删除响应 headers。根据 Microsoft
不稳定使用 Web.config 自定义 Headers 部分代替定义 here:
<system.webServer>
<httpProtocol>
<!-- Security Hardening of HTTP response headers -->
<customHeaders>
<!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent
Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
By preventing a browser from framing your site you can defend against attacks like clickjacking.
Recommended value "x-frame-options: SAMEORIGIN" -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that
they should only read the master crossdomain.xml file from the root of the website.
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
Recommended value "X-XSS-Protection: 1; mode=block". -->
<add name="X-Xss-Protection" value="1; mode=block" />
<!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
If you have sensitive information in your URLs, you don't want to forward to other domains
https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
<add name="Referrer-Policy" value="no-referrer-when-downgrade" />
<!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
<remove name="X-Powered-By" />
<!-- Set the cache-control per your Security settings (will affect performance) -->
<add name="Cache-Control" value="No-cache" />
</customHeaders>
</httpProtocol>
<!-- Prerequisite for the <rewrite> section
Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
<!-- Remove Server response headers (OWASP Security Measure) -->
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<!-- Use custom value for the Server info -->
<action type="Rewrite" value="Your Custom Value Here." />
</rule>
</outboundRules>
</rewrite>
</system.webServer>