Asp.net移除Server, XPoweredBy, 和XAspNetVersion头

Asp.net移除Server, XPoweredBy, 和XAspNetVersion头
我们在开发Asp.net中,最后部署在IIS上. 然后发送HTTP请求,返回的HTTP头中包含Server, X-Powered-By, 和 X-AspNet-Version信息. 这些信息有时给攻击者找寻你的站点漏洞提供的依据. 如下图我们通过FireBug查看到:

移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:
```
 <httpRuntime enableVersionHeader="false" />
```
移除Server呢, 我们可以写一个自定义HttpModule,看下来代码:
```
   1:  namespace MyWeb
```
```
   2:  {
```
```
   3:      public class RemoveServerInfoModule: IHttpModule
```
```
   4:      {
```
```
   5:          #region IHttpModule Members
```
```
   6:   
```
```
   7:          public void Dispose(){
```
```
   8:              //no code nescessary
```
```
   9:          }
```
```
  10:          
```
```
  11:          public void Init(HttpApplication context)
```
```
  12:          {
```
```
  13:              context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);
```
```
  14:          }
```
```
  15:   
```
```
  16:          void context_PreSendRequestHeaders(object sender, EventArgs e)
```
```
  17:          {
```
```
  18:              // strip the "Server" header from the current Response 
```
```
  19:              HttpContext.Current.Response.Headers.Remove("Server");
```
```
  20:          }
```
```
  21:   
```
```
  22:          #endregion
```
```
  23:      }
```
```
  24:  }
```
上面这段代码会arise exceptioin,我们最好这样实现PreSendRequestHeaders方法:
```
   1:          void context_PreSendRequestHeaders(object sender, EventArgs e)
```
```
   2:          {
```
```
   3:              try
```
```
   4:              {
```
```
   5:                  HttpApplication app = sender as HttpApplication;
```
```
   6:                  if (null != app && null != app.Request && !app.Request.IsLocal && null != app.Context && null != app.Context.Response)
```
```
   7:                  {
```
```
   8:                      var headers = app.Context.Response.Headers;
```
```
   9:                      if (null != headers)
```
```
  10:                      {
```
```
  11:                          headers.Remove("Server");
```
```
  12:                      }
```
```
  13:                  }
```
```
  14:              }
```
```
  15:              catch (Exception ex)
```
```
  16:              {
```
```
  17:                  Log.HandleException(ex);
```
```
  18:              }
```
```
  19:          }
```
最后在Web.config中配置这个HttpModule:
```
    <httpModules>
```
```
      <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
```
```
    </httpModules>
```
For IIS 7:
```
  <system.webServer>
```
```
    <modules runAllManagedModulesForAllRequests="true" >
```
```
      <add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
```
```
    </modules>
```
```
  </system.webServer
```
这样就OK了, 你再运行Asp.net web application时, Server,X-AspNet-Version等信息已经不显示了.

希望对您开发,有帮助.

作者：Petter Liu
出处：http://www.cnblogs.com/wintersun/
本文版权归作者和博客园共有，欢迎转载，但未经作者同意必须保留此段声明，且在文章页面明显位置给出原文连接，否则保留追究法律责任的权利。
该文章也同时发布在我的独立博客中-Petter Liu Blog。
相关阅读:
mysql access denied for user root Mysql用户无权限
 远程链接调用sql脚本
 CuteEditor使用详解
 如何设置release模式
 ShardingJDBC不分库，只分表例子
 SpringCloud Stream整合RocketMQ实现消息发送与接收
 Spring Cloud Gateway的PrefixPath及StripPrefix功能
 使用MongoDB的Spring Boot和MongoTemplate教程
 ShardingJDBC读写分离案例
 SpringBoot那些好用的连接池HikariCP
原文地址：https://www.cnblogs.com/wintersun/p/2129942.html