问题
I have API which is valid for POST/GET/PUT verb but if hacker intercepts the request and change method to 'OPTIONS' instead of 'GET', he will get below error in http response -
Allow: GET,POST,PUT { "Message": "The requested resource does not support http method 'OPTIONS'." }
This allows hacker to identify what verbs supported by API. I have to restrict this header in response.
I tried removing 'WebDav' module but it still showing same message. I don't want hacker to see this message and Allow header.
回答1:
According to your requirement, I assumed that you could specific the supported verbs in Web.config file as follows:
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
<add verb="PUT" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
If the client trys to access your Api with other verbs, it would receive the 404 status code. Additionally, you'd better enable authentication in your Web API for better security consideration.
来源:https://stackoverflow.com/questions/49774126/how-to-remove-allow-header-from-http-response