因 VERB 命中受阻而出现 HTTP 500 时公开的服务器版本

Server version disclosed in case of HTTP 500 coming because of blocked VERB hit

我设置了自定义错误页面并设置了 Verb 阻塞,只允许 GET 和 POST。 但是当我尝试其他方法(DELETE、OPTION、TRACE)时,它没有重定向到自定义错误页面,而且它公开服务器版本。服务器版本未在 HTTP 200 中公开。

错误页面处理-:

<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="Redirect" >
      <remove statusCode="500" subStatusCode="-1" />
      <error statusCode="404" path="SSPERR.aspx" responseMode="Redirect"/>
      <error statusCode="500"  path="SSPERR.aspx" responseMode="Redirect"/>
</httpErrors>

规则

<httpErrors errorMode="Custom" existingResponse="Auto"  defaultResponseMode="Redirect" >
          <remove statusCode="500" subStatusCode="-1" />
          <error statusCode="404" path="SSPERR.aspx" responseMode="Redirect"/>
          <error statusCode="500"  path="SSPERR.aspx" responseMode="Redirect"/>
        </httpErrors>
        <security>
          <requestFiltering>
            <verbs allowUnlisted="false">
              <clear/>
              <add verb="GET" allowed="true"/>
              <add verb="POST" allowed="true"/>
            </verbs>
          </requestFiltering>
        </security>
        <rewrite>
          <outboundRules rewriteBeforeCache="true">
            <rule name="Remove RESPONSE_Server" >
              <match serverVariable="RESPONSE_Server" pattern=".+"/>
              <action type="Rewrite" value="" />
            </rule>
          </outboundRules>
        </rewrite>
        <httpProtocol>
          <customHeaders>
            <remove name="X-Powered-By" />
          </customHeaders>
        </httpProtocol>
        <modules runAllManagedModulesForAllRequests="true" />

Global.asax 文件-:

protected void Application_PreSendRequestHeaders(object sender, EventArgs 
{
    HttpContext.Current.Response.Headers.Remove("Server");
    HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
    HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}

好的。我发现了问题:

忘记删除错误 404 但再次添加并重复。由于这个原因,应用程序在异常中抛出异常并且 Headers 无法正确删除。 现在你可以看到一切正常。我为错误页面提供使用纯 html 文件。所以error.html会更好。

    <httpErrors errorMode="Custom" existingResponse="Auto"  defaultResponseMode="File" >
      <remove statusCode="500" subStatusCode="-1" />
      <remove statusCode="404" subStatusCode="-1" />
      <error statusCode="404" path="~/error.html" responseMode="File"/>
      <error statusCode="500"  path="~/error.html" responseMode="File"/>
    </httpErrors>