问题
If you follow this article Azure Blog, you can remove the Server, X-Powered-By and MVC version which is great.
You can also achieve similar with a custom IIS module with the following method:
private void OnPreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current?.Response.Headers.Remove("Server");
HttpContext.Current?.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current?.Response.Headers.Remove("X-AspNetMvc-Version");
HttpContext.Current?.Response.Headers.Remove("X-Powered-By");
}
However, if you send the following query string:
https://yourAppService.azurewebsites.net/test.txt:
You manage to avoid all the steps you've taken to avoid sending the headers you are trying to keep away from potential hackers.
Sample Request:
Sample Response:
Is there a way to completely remove these headers from ALL responses, and not just requests the app manages to handle gracefully? I have managed to remove the headers from 99% of responses, but not all!
UPDATE:
I have also found if you use PostMan to send a GET request to
https://yourSite.azurewebsites.net/400errortest%00
you get
UPDATE:
The request to /test.txt: was reported fixed by MS on the 26th June 2017. I can confirm it is fixed for this scenario.
Requests to https://yourSite.azurewebsites.net/400errortest%00 via PostMan still return a Server Header which is not great.
回答1:
If we use the url end with : to visit the azure website that we will get 500 error, the default action should be 404 error. Azure team opened an internal bug and plan to fix it.
来源:https://stackoverflow.com/questions/42275321/remove-sensitive-headers-from-azure-paas-hosted-websites