为了使我们的API和站点更加安全,我将删除泄露站点运行信息的标题.
剥离收割台前的示例:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687
网状物配置:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
全球的尽快.反恐精英:
protected void Application_PreSendRequestHeaders() {
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
Response.AddHeader("Strict-Transport-Security", "max-age=300");
Response.AddHeader("X-Frame-Options", "SAMEORIGIN");
}
之后,所有对站点和API的调用都会返回更安全的标题,如下所示:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 05 Jun 2013 00:27:54 GMT
Content-Length: 3687
到现在为止还好.然而,我在Firebug中注意到,如果你查看静电内容(比如loading.gif),它仍然包含服务器头.
HTTP/1.1 304 Not Modified
Cache-Control: no-cache
Accept-Ranges: bytes
Etag: "a3f2a35bdf45ce1:0"
Server: Microsoft-IIS/8.0
Date: Tue, 25 Jun 2013 18:33:16 GMT
我假设这是由IIS以某种方式处理的,但找不到任何地方删除该头.我试着加上:
<remove name="Server" />
到Web中的httpProtocol/customHeaders部分.配置,如上所述.我还try 进入IIS管理器的HTTP响应头部分,为服务器头添加一个假名称/值对.在这两种情况下,它仍然会返回
Server: Microsoft-IIS/8.0
加载任何图像、CSS或JS时.我需要在哪里/做些什么来解决这个问题?