我们在开发Asp.net中,最后部署在IIS上. 然后发送HTTP请求,返回的HTTP头中包含Server, X-Powered-By, 和 X-AspNet-Version信息. 这些信息有时给攻击者找寻你的站点漏洞提供的依据. 如下图我们通过FireBug查看到:
移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:
<httpRuntime enableVersionHeader="false" />
移除Server呢, 我们可以写一个自定义HttpModule,看下来代码:
1: namespace MyWeb
2: {3: public class RemoveServerInfoModule: IHttpModule
4: {5: #region IHttpModule Members
6: 7: public void Dispose(){
8: //no code nescessary
9: } 10: 11: public void Init(HttpApplication context)
12: {13: context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);
14: } 15: 16: void context_PreSendRequestHeaders(object sender, EventArgs e)
17: {18: // strip the "Server" header from the current Response
19: HttpContext.Current.Response.Headers.Remove("Server");
20: } 21: 22: #endregion
23: } 24: }上面这段代码会arise exceptioin,我们最好这样实现PreSendRequestHeaders方法:
1: void context_PreSendRequestHeaders(object sender, EventArgs e)
2: {3: try
4: {5: HttpApplication app = sender as HttpApplication;
6: if (null != app && null != app.Request && !app.Request.IsLocal && null != app.Context && null != app.Context.Response)
7: { 8: var headers = app.Context.Response.Headers;9: if (null != headers)
10: {11: headers.Remove("Server");
12: } 13: } 14: }15: catch (Exception ex)
16: { 17: Log.HandleException(ex); 18: } 19: }最后在Web.config中配置这个HttpModule:
<httpModules>
<add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
</httpModules>
For IIS 7:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" >
<add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
</modules>
</system.webServer这样就OK了, 你再运行Asp.net web application时, Server,X-AspNet-Version等信息已经不显示了.
希望对您开发,有帮助.
作者:Petter Liu
出处:http://www.cnblogs.com/wintersun/
本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。
该文章也同时发布在我的独立博客中-Petter Liu Blog。