作者:清晨竹林9_877 | 来源:互联网 | 2023-08-28 13:49
我们在开发Asp.net中,最后部署在IIS上.然后发送HTTP请求,返回的HTTP头中包含Server,X-Powered-By,和X-AspNet-Version信息.这些信息有时给攻击
我们在开发Asp.net中,最后部署在IIS上. 然后发送HTTP请求,返回的HTTP头中包含Server, X-Powered-By, 和 X-AspNet-Version信息. 这些信息有时给攻击者找寻你的站点漏洞提供的依据. 如下图我们通过FireBug查看到:
移除X-AspNet-Version很简单,只需要在Web.config中增加这个配置节:
<httpRuntime enableVersionHeader="false" />
public class RemoveServerInfoModule : IHttpModule
{
#region IHttpModule Members
public void Dispose()
{
//no code nescessary
}
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += new EventHandler(context_PreSendRequestHeaders);
}
void context_PreSendRequestHeaders(object sender, EventArgs e)
{
// strip the "Server" header from the current Response
HttpContext.Current.Response.Headers.Remove("Server");
}
#endregion
}
上面这段代码会arise exceptioin,我们最好这样实现PreSendRequestHeaders方法:
void context_PreSendRequestHeaders(object sender, EventArgs e)
{
try
{
HttpApplication app = sender as HttpApplication;
if (null != app && null != app.Request && !app.Request.IsLocal && null != app.Context && null != app.Context.Response)
{
var headers = app.Context.Response.Headers;
if (null != headers)
{
headers.Remove("Server");
}
}
}
catch (Exception)
{
throw;
}
}
最后在Web.config中配置这个HttpModule:
<httpModules>
<add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
httpModules>
For IIS 7:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" >
<add name="RemoveServerInfoModule" type="MyWeb.RemoveServerInfoModule"/>
modules>
system.webServer>
这样就OK了, 你再运行Asp.net web application时, Server,X-AspNet-Version等信息已经不显示了.
希望对您开发,有帮助.
京公网安备 11010802041100号