Remove unnecessary HTTP response headers in ASP. NET and IIS [go]

Source: Internet
Author: User

Http://www.cnblogs.com/CareySon/archive/2009/12/14/1623624.html

introduced

Each time a browser initiates a request to the Web server, it is accompanied by some HTTP headers. These HTTP headers are used to provide some additional information to the Web server to facilitate processing of requests. Let's say. If the browser supports compression, the browser sends a accept-encoding HTTP header so that the server knows which compression algorithm the browser can use. And any cookies that were set up on the server in the last transmission are also transmitted to the servers via the cookie HTTP header, which is also sent to the browser to let the service know what browser the customer is using (IE, Firefox, Safari, etc.), the browser version, user-agent HTTP headers for operating systems and other related information.

Similarly, the Web server will be sent back to the client with some HTTP headers, these HTTP headers can inform the browser how to generate the appropriate content and cache the content of the time, the Web server will also send their own identification information, which is much like user-agent HTTP header, These header information includes the version of the Web server and the version of ASP that is currently in use.

In some cases, some HTTP headers are required, but the Web server's self-identifying header information is not so necessary, which makes each transmission 100 bytes or so. Okay, I agree. 100 bytes is not a very large number alone, but it is not to be underestimated when transmitting thousands of times. In addition, providing server information can also lead to security issues, and some attackers are aware of the vulnerabilities contained in specific servers and specific versions of ASP. They scan a large number of servers and select specific servers (Translators press: IIS and ASP. 2.0.50727) as a target for their attack.

And this article is about how to remove these unnecessary HTTP response headers.

observing the HTTP response header of the Web server

In order to see the HTTP header that communicates between the server and the browser, you need to install some plugins in the browser. For example, Fiddler is a free software released by Microsoft for logging HTTP logs. And these HTTP logs will contain HTTP headers, in this article I will assume that the reader is already familiar with the software, if you are not familiar with the software, I recommend reading troubleshooting Website problems by examining the HTTP Traffic, this article explains in detail how to install & Use Fiddler.

Using Fiddler, find a Web server that uses IIS and ASP. NET, such as the official Microsoft Web site, usually by default, the HTTP response header contains the 3 Web server's own identity header.

    • Server-Specify which server and server version, such as:
      • server:microsoft-iis/6/0
      • server:microsoft-iis/7.0
    • X-powered-by, used to indicate that this site is "Powered by ASP."
      • X-powered-by:asp.net
    • X-aspnet-version, which specifies the current ASP. Note that even if you use ASP. X-aspnet-version, you may report that you are using 2.0:
      • x-aspnet-version:2.0.50727
      • x-aspnet-version:1.1.4322
    • X-ASPNETMVC, specify the current version of ASP. NET MVC (if you use ASP.):
      • x-aspnetmvc-version:1.0

These server self-identifying information is not used by the browser in most cases, so it can be safely removed, and the remainder of this article will tell you how to remove these HTTP headers

Remove x-aspnet-version HTTP headers

X-aspnet-version HTTP headers will tell the world that our server is currently using the ASP. Removing this HTTP header is a piece of cake, just add the following to the <system.web> node of the Web. config:

<enableversionheader=/>   

Isn't it very relaxing and enjoyable?

Remove x-aspnetmvc-version HTTP headers

The x-aspnetmvc-version HTTP header is automatically added to the ASP. NET MVC framework, and if you do not use ASP. This HTTP header will be removed in the event of Global.asax Application_StartMvcHandler类的DisableMvcResponseHeader属性设置为True

Remove x-powered-by HTTP headers

x-powered-by HTTP headers do not exist only in ASP. Other server-side languages, such as PHP, will also contain this HTTP header, which, when ASP. NET is installed, is inserted into IIS as a custom HTTP header, so We need to remove this HTTP header from the configuration of IIS, and if your site is in a shared environment and you are not using IIS7 and using pipeline mode, you will have to contact your space provider to help you remove it. (If your site is in a IIS7 environment, you can programmatically remove it via the HTTP module)

Remove the x-powered-by HTTP header in IIS6:

    1. Start the IIS Manager
    2. Expand the Website directory
    3. Right-click on the website and select Properties from the popup menu.
    4. Select the HTTP header tag, all the custom HTTP headers included in the IIS response will be displayed here, simply select the HTTP header of the response and click Delete to delete the HTTP header of the response:

The method of removing x-powered-by HTTP headers in IIS7 is:

    1. Start the IIS Manager
    2. Expand the Website directory
    3. Select the site you want to modify and double-click the HTTP response header
    4. All the custom HTTP headers are here, delete the corresponding headers just click on the "Remove" link to the right:

Remove Server HTTP headers

This HTTP header is automatically appended to the current IIS corresponding, delete this HTTP header can use the Microsoft Free URLScan tool.

If you are using IIS7 integrated pipeline mode, you can also use the HTTP module to programmatically remove it. Stefan Grobner's Blog in IIS 7-how to Send A Custom "Server" HTTP header this article details how to modify the server HTTP header. Simply put, you need to create an HTTP module andPreSendRequestHeaders事件创建事件处理程序,在这个事件处理程序中的代码会类似:

HttpContext.Current.Response.Headers.Remove ("Server");  

Howard von Rooijen's article discusses in depth how to remove the server HTTP header in IIS7 and integrated pipeline mode, see: Cloaking your ASP. NET MVC Web application on IIS 7

Summary

Removing the server itself to identify the response header will have the following benefits:

    • This reduces the amount of data that needs to be transferred between the server and the browser
    • Makes it more difficult for hackers to attack servers, making servers stronger

The number of HTTP headers above does not bring a direct benefit, but slightly increases the burden of broadband, fortunately we can be configured to remove the way

Happy programming!

  • by Scott Mitchell

-----------------------------------------------------------------------------------------

Original link: http://aspnet.4guysfromrolla.com/articles/120209-1.aspx

Remove unnecessary HTTP response headers in ASP. NET and IIS [go]

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.