Reference: careyson-delete unnecessary HTTP Response Headers in ASP. NET and IIS

Source: Internet
Author: User
Tags microsoft iis

Original article address: By http://www.cnblogs.com/CareySon/archive/2009/12/14/1623624.html Careyson

Each time a browser initiates a request to the Web server, some HTTP headers are sent. These HTTP headers are used to provide additional information to the Web server for processing requests. For example. If the browser supports compression, the browser sends Accept-Encoding In this way, the server will know which compression can be used by the browser Algorithm . Any cookies set by the server during the previous transmission will also pass Cookies The HTTP header is sent back and forth to the server, and the browser also sends messages to the server to let the server know which browser (ie, Firefox, Safari, etc.) the Customer is using, the browser version, the operating system, and other related information. User-Agent HTTP header.

Similarly, the web server will also be accompanied by some HTTP headers when sending back to the client. These HTTP headers can notify the browser how to generate the corresponding content and the cache time, the Web server also sends its own identification information, which is similarUser-AgentHTTP header. the header information includes the version of the web server and the current version of ASP. NET.

In some cases, some HTTP headers are required. However, the web server itself does not need to identify the header information, which causes about 100 bytes to be transmitted each time. Well, I agree that 100 bytes alone is not a big number, but it cannot be underestimated when it is transmitted for thousands of times. In addition, the provision of server information may cause security issues. Some attackers are familiar with specific servers and vulnerabilities contained in specific Asp.net versions, they scan a large number of servers and select a specific server (for example, IIS and Asp.net 2.0.50727) as their targets.

And this articleArticleLet's talk about how to delete these unnecessary HTTP response headers.

Observe the HTTP Response Header of the Web Server

To see the HTTP header for communication between the server and the browser, you need to install some plug-ins in the browser. For example, Fiddler is a free software released by Microsoft to record HTTP logs. These HTTP logs will contain the HTTP header. In this article, I will assume that the reader is familiar with this software. If you are not familiar with this software, I recommend that you read troubleshooting website problems by examining the HTTP traffic. This article details how to install and use Fiddler.

Use Fiddler to find a web server that uses IIS and Asp.net, such as the official website of Microsoft Asp.net. Generally, by default, the HTTP response header contains three identification headers of the Web server.

  • Server-specify the server and server version, for example:
      • server: Microsoft-Microsoft IIS/6/0
      • server: Microsoft-Microsoft IIS/7.0
  • X-powered-by indicates that the site is "powered by Asp.net"
      • X-powered-by: ASP. NET
  • X-ASPnet-version is used to specify the current Asp.net version. Note that even if you use Asp.net 3.5, the version of X-ASPnet-version may report 2.0:
      • X-ASPnet-version: 2.0.50727
      • X-ASPnet-version: 1.1.4322
  • X-aspnetmvc: Specifies the current version of Asp.net MVC (if Asp.net MVC is used ):
      • X-aspnetmvc-version: 1.0

These server identification information is not used by the browser in most cases, so it can be safely removed. The rest of this article will show how to remove these HTTP headers

Remove the X-ASPnet-version HTTP Header

The X-ASPnet-version HTTP header will tell the world the current Asp.net version used by our servers. Removing this HTTP header is simply a piece of cake, just on the web. <system. web> Add the following content under the node:

<  Httpruntime   Enableversionheader = "False"  />  

Is it very easy and pleasant?

Remove the X-aspnetmvc-version HTTP Header

the HTTP header X-aspnetmvc-version is automatically added to the Asp.net MVC framework, if you do not use Asp.net MVC, this HTTP header does not exist. the method to remove this HTTP header is in global. application_start In the event, the set the disablemvcresponseheader attribute to true

// C #Mvchandler. disablemvcresponseheader =True; 'Vbmvchandler. disablemvcresponseheader = true
Remove the X-powered-by HTTP Header

The X-powered-by HTTP header does not only exist in Asp.net. Other server languages, such as PHP, also contain this HTTP header. When Asp.net is installed, this header is inserted into IIS as a custom HTTP header. Therefore, we need to delete this HTTP header from the IIS configuration, if your website is in a shared environment and does not use iis7 and uses the pipeline mode, you have to contact your space provider to remove it. (If your website is in the iis7 environment, you can remove it through programming in the form of HTTP module)

Remove the X-powered-by HTTP header from IIS6:

  1. Start IIS Manager
  2. Expand website directory
  3. Right-click website and select Properties from the pop-up menu
  4. Select the HTTP header label. All custom HTTP headers contained in the IIS response are displayed here. You only need to select the HTTP header of the response and click Delete to delete the HTTP header of the response ,:

In iis7, the method for removing the X-powered-by HTTP header is:

  1. Start IIS Manager
  2. Expand website directory
  3. Select the site you want to modify and double-click the HTTP response header.
  4. All custom HTTP headers are here. To delete the corresponding headers, you only need to click the "Remove" link on the right:

Remove the Server HTTP Header

This HTTP header is automatically appended to the current IIS. You can use Microsoft's free URLScan Tool to delete this HTTP header.

if you are using iis7 integrated pipeline mode, you can also use the HTTP module to remove it programmatically. In stefan grobner's blog, IIS 7-how to send a custom "server" HTTP header this article details how to modify the Server HTTP header. to put it simply, you need to create an HTTP module and set it to presendrequestheaders event creation event processing Program , the Code in this event handler is similar to:

Httpcontext. Current. response. headers. Remove ("Server");

Howard von rooijen's article further discusses how to remove the Server HTTP header in iis7 and integrated pipeline mode. For more details, see cloaking your asp. net MVC web application on IIS 7

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.