Each time a browser initiates a request to the Web server, some HTTP headers are sent. These HTTP headers are used to provide additional information to the Web server for processing requests. For example. If the browser supports compression, the browser sends Accept-Encoding In this way, the server will know which compression can be used by the browser Algorithm . Any cookies set by the server during the previous transmission will also pass Cookies The HTTP header is sent back and forth to the server, and the browser also sends messages to the server to let the server know which browser (ie, Firefox, Safari, etc.) the Customer is using, the browser version, the operating system, and other related information. User-Agent HTTP header.
Similarly, the web server will also be accompanied by some HTTP headers when sending back to the client. These HTTP headers can notify the browser how to generate the corresponding content and the cache time, the Web server also sends its own identification information, which is similarUser-AgentHTTP header. the header information includes the version of the web server and the current version of ASP. NET.
In some cases, some HTTP headers are required. However, the web server itself does not need to identify the header information, which causes about 100 bytes to be transmitted each time. Well, I agree that 100 bytes alone is not a big number, but it cannot be underestimated when it is transmitted for thousands of times. In addition, the provision of server information may cause security issues. Some attackers are familiar with specific servers and vulnerabilities contained in specific Asp.net versions, they scan a large number of servers and select a specific server (for example, IIS and Asp.net 2.0.50727) as their targets.
And this articleArticleLet's talk about how to delete these unnecessary HTTP response headers.
Observe the HTTP Response Header of the Web Server
To see the HTTP header for communication between the server and the browser, you need to install some plug-ins in the browser. For example, Fiddler is a free software released by Microsoft to record HTTP logs. These HTTP logs will contain the HTTP header. In this article, I will assume that the reader is familiar with this software. If you are not familiar with this software, I recommend that you read troubleshooting website problems by examining the HTTP traffic. This article details how to install and use Fiddler.
Use Fiddler to find a web server that uses IIS and Asp.net, such as the official website of Microsoft Asp.net. Generally, by default, the HTTP response header contains three identification headers of the Web server.
These server identification information is not used by the browser in most cases, so it can be safely removed. The rest of this article will show how to remove these HTTP headers
Remove the X-ASPnet-version HTTP Header
The X-ASPnet-version HTTP header will tell the world the current Asp.net version used by our servers. Removing this HTTP header is simply a piece of cake, just on the web. <system. web> Add the following content under the node:
< Httpruntime Enableversionheader = "False" />
Is it very easy and pleasant?
Remove the X-aspnetmvc-version HTTP Header the HTTP header X-aspnetmvc-version is automatically added to the Asp.net MVC framework, if you do not use Asp.net MVC, this HTTP header does not exist. the method to remove this HTTP header is in global. application_start In the event, the set the disablemvcresponseheader attribute to true
Remove the X-powered-by HTTP Header// C #Mvchandler. disablemvcresponseheader =True; 'Vbmvchandler. disablemvcresponseheader = true
The X-powered-by HTTP header does not only exist in Asp.net. Other server languages, such as PHP, also contain this HTTP header. When Asp.net is installed, this header is inserted into IIS as a custom HTTP header. Therefore, we need to delete this HTTP header from the IIS configuration, if your website is in a shared environment and does not use iis7 and uses the pipeline mode, you have to contact your space provider to remove it. (If your website is in the iis7 environment, you can remove it through programming in the form of HTTP module)
Remove the X-powered-by HTTP header from IIS6:
In iis7, the method for removing the X-powered-by HTTP header is:
This HTTP header is automatically appended to the current IIS. You can use Microsoft's free URLScan Tool to delete this HTTP header.
if you are using iis7 integrated pipeline mode, you can also use the HTTP module to remove it programmatically. In stefan grobner's blog, IIS 7-how to send a custom "server" HTTP header this article details how to modify the Server HTTP header. to put it simply, you need to create an HTTP module and set it to presendrequestheaders event creation event processing Program , the Code in this event handler is similar to:
Httpcontext. Current. response. headers. Remove ("Server");
Howard von rooijen's article further discusses how to remove the Server HTTP header in iis7 and integrated pipeline mode. For more details, see cloaking your asp. net MVC web application on IIS 7
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
