我有几个IIS / 6.0服务器,安全性要求我删除几个响应标头,这些响应标头是根据请求发送到客户端浏览器的。他们担心通过响应头泄露平台信息。我已经从网站的IIS配置中删除了所有HTTP-HEADERS(X-Powered-By或某些此类标题)。
(我个人确实知道可以轻松找到此信息,即使它是隐藏的,也不是我的电话。)
我要删除的标题:
我也知道ASP.NET MVC也会发出自己的标头,如果您也知道如何删除它,那将会很有帮助。
Answers:
您的安全部门希望您执行此操作,以使服务器类型更难识别。这可能会减少自动黑客工具的数量,并使人们更难以侵入服务器。
在IIS中,打开网站属性,然后转到“ HTTP标头”选项卡。大多数X-标头都可以在此处找到并删除。可以为单个站点或整个服务器完成此操作(修改树中“ Web站点”对象的属性)。
对于Server标头,可以在IIS6上使用Microsoft的URLScan工具对其进行远程管理。Port 80 Software还生产一种称为ServerMask的产品,它将为您解决更多问题。
对于IIS7,有一篇很棒的文章介绍如何使用自定义模块来修改Server标头。
对于MVC标头,请在Global.asax中:
MvcHandler.DisableMvcResponseHeader = true;
要删除所有泄露过多信息的自定义标头-对于IIS 7,方法有所不同(不幸的是):
标题名称: X-Powered-By
加:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
在本<system.webServer>节中。
标头名称:服务器
通过从PreSendRequestHeaders事件中调用Response.Headers.Remove(“ Server”),实现一个httpModule来剥离此标头。另一个资源:在IIS 7上隐藏ASP.NET MVC Web应用程序
标头名称:X-AspNet-Version
在web.config的httpRuntime部分中-设置:
<httpRuntime enableVersionHeader="false" />
标头名称:X-AspNetMvc-Version
从global.asax中的Application_Start事件-执行以下代码(C#):
MvcHandler.DisableMvcResponseHeader = true;
将其放在ASP.NET应用程序的web.config文件中将摆脱X-AspNet-Version标头:
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
请注意,文件中应该已经存在system.web标记。不要创建重复项,只需添加httpRuntime标记。httpRuntime标记也可能已经存在。如果是这样,只需添加该属性或设置其值(如果已经存在)。
system.web我的网站时,该网站就关闭了。你知道为什么吗?
刚经历了当前项目的“强化”周期- 我在博客中介绍了我们采用的方法,其中包括用于删除以下标头的HTTPModule:
服务器,
X-AspNet版本,
X-AspNetMvc版本,
X-Powered-by
相关作品转载如下:
但是没有简单的方法可以通过配置删除服务器响应标头。幸运的是,IIS7具有托管的可插拔模块基础结构,可让您轻松扩展其功能。以下是用于删除指定的HTTP响应标头列表的HttpModule的源:
namespace Zen.Core.Web.CloakIIS
{
#region Using Directives
using System;
using System.Collections.Generic;
using System.Web;
#endregion
/// <summary>
/// Custom HTTP Module for Cloaking IIS7 Server Settings to allow anonymity
/// </summary>
public class CloakHttpHeaderModule : IHttpModule
{
/// <summary>
/// List of Headers to remove
/// </summary>
private List<string> headersToCloak;
/// <summary>
/// Initializes a new instance of the <see cref="CloakHttpHeaderModule"/> class.
/// </summary>
public CloakHttpHeaderModule()
{
this.headersToCloak = new List<string>
{
"Server",
"X-AspNet-Version",
"X-AspNetMvc-Version",
"X-Powered-By",
};
}
/// <summary>
/// Dispose the Custom HttpModule.
/// </summary>
public void Dispose()
{
}
/// <summary>
/// Handles the current request.
/// </summary>
/// <param name="context">
/// The HttpApplication context.
/// </param>
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += this.OnPreSendRequestHeaders;
}
/// <summary>
/// Remove all headers from the HTTP Response.
/// </summary>
/// <param name="sender">
/// The object raising the event
/// </param>
/// <param name="e">
/// The event data.
/// </param>
private void OnPreSendRequestHeaders(object sender, EventArgs e)
{
this.headersToCloak.ForEach(h => HttpContext.Current.Response.Headers.Remove(h));
}
}
}
确保对程序集进行签名,然后可以将其安装到Web服务器的GAC中,并且只需对应用程序的web.config进行以下修改(或者如果希望将其全局应用到machine.config):
<configuration>
<system.webServer>
<modules>
<add name="CloakHttpHeaderModule"
type="Zen.Core.Web.CloakIIS.CloakHttpHeaderModule, Zen.Core.Web.CloakIIS,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=<YOUR TOKEN HERE>" />
</modules>
</system.webServer>
</configuration>
请改用Web.config自定义标头部分:
<system.webServer>
<httpProtocol>
<!-- Security Hardening of HTTP response headers -->
<customHeaders>
<!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent
Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
By preventing a browser from framing your site you can defend against attacks like clickjacking.
Recommended value "x-frame-options: SAMEORIGIN" -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that
they should only read the master crossdomain.xml file from the root of the website.
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
Recommended value "X-XSS-Protection: 1; mode=block". -->
<add name="X-Xss-Protection" value="1; mode=block" />
<!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
If you have sensitive information in your URLs, you don't want to forward to other domains
https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
<add name="Referrer-Policy" value="no-referrer-when-downgrade" />
<!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
<remove name="X-Powered-By" />
<!-- Ensure the cache-control is public, some browser won't set expiration without that -->
<add name="Cache-Control" value="public" />
</customHeaders>
</httpProtocol>
<!-- Prerequisite for the <rewrite> section
Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
<!-- Remove Server response headers (OWASP Security Measure) -->
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<!-- Use custom value for the Server info -->
<action type="Rewrite" value="Your Custom Value Here." />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
我使用以下代码为我iis 7.5工作
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}