因 VERB 命中受阻而出现 HTTP 500 时公开的服务器版本
Server version disclosed in case of HTTP 500 coming because of blocked VERB hit
我设置了自定义错误页面并设置了 Verb 阻塞,只允许 GET 和 POST。
但是当我尝试其他方法(DELETE、OPTION、TRACE)时,它没有重定向到自定义错误页面,而且它公开服务器版本。服务器版本未在 HTTP 200 中公开。
错误页面处理-:
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="Redirect" >
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="404" path="SSPERR.aspx" responseMode="Redirect"/>
<error statusCode="500" path="SSPERR.aspx" responseMode="Redirect"/>
</httpErrors>
规则
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="Redirect" >
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="404" path="SSPERR.aspx" responseMode="Redirect"/>
<error statusCode="500" path="SSPERR.aspx" responseMode="Redirect"/>
</httpErrors>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<clear/>
<add verb="GET" allowed="true"/>
<add verb="POST" allowed="true"/>
</verbs>
</requestFiltering>
</security>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove RESPONSE_Server" >
<match serverVariable="RESPONSE_Server" pattern=".+"/>
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<modules runAllManagedModulesForAllRequests="true" />
Global.asax 文件-:
protected void Application_PreSendRequestHeaders(object sender, EventArgs
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}
好的。我发现了问题:
您忘记删除错误 404 但再次添加并重复。由于这个原因,应用程序在异常中抛出异常并且 Headers 无法正确删除。
现在你可以看到一切正常。我为错误页面提供使用纯 html 文件。所以error.html会更好。
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="File" >
<remove statusCode="500" subStatusCode="-1" />
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" path="~/error.html" responseMode="File"/>
<error statusCode="500" path="~/error.html" responseMode="File"/>
</httpErrors>
我设置了自定义错误页面并设置了 Verb 阻塞,只允许 GET 和 POST。 但是当我尝试其他方法(DELETE、OPTION、TRACE)时,它没有重定向到自定义错误页面,而且它公开服务器版本。服务器版本未在 HTTP 200 中公开。
错误页面处理-:
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="Redirect" >
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="404" path="SSPERR.aspx" responseMode="Redirect"/>
<error statusCode="500" path="SSPERR.aspx" responseMode="Redirect"/>
</httpErrors>
规则
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="Redirect" >
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="404" path="SSPERR.aspx" responseMode="Redirect"/>
<error statusCode="500" path="SSPERR.aspx" responseMode="Redirect"/>
</httpErrors>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<clear/>
<add verb="GET" allowed="true"/>
<add verb="POST" allowed="true"/>
</verbs>
</requestFiltering>
</security>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove RESPONSE_Server" >
<match serverVariable="RESPONSE_Server" pattern=".+"/>
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<modules runAllManagedModulesForAllRequests="true" />
Global.asax 文件-:
protected void Application_PreSendRequestHeaders(object sender, EventArgs
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}
好的。我发现了问题:
您忘记删除错误 404 但再次添加并重复。由于这个原因,应用程序在异常中抛出异常并且 Headers 无法正确删除。 现在你可以看到一切正常。我为错误页面提供使用纯 html 文件。所以error.html会更好。
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="File" >
<remove statusCode="500" subStatusCode="-1" />
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" path="~/error.html" responseMode="File"/>
<error statusCode="500" path="~/error.html" responseMode="File"/>
</httpErrors>