ASP.NET 删除不想要的头部信息

根据安全扫描要求移除多余的头部信息,试了多种方法终于找到可行的办法,记录下.

1.移除X-AspNet-Version

项目的web.confg中<system.web> 节点添加如下配置:

<httpRuntime
  enableVersionHeader="false" />

2.移除Server

由于异步请求会导致通过管理模块IHttpModule无法修改头部信息,正确的做法是用BeginRequest去处理:

protected void Application_BeginRequest(object sender, EventArgs e)
{
  var application = sender as HttpApplication;
  if (application != null && application.Context != null)
  {
    application.Context.Response.Headers.Remove("Server");
  }
}

3.移除 X-Powered-By

默认IIS会告诉大家它使用ASP.NET

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server:
X-Powered-By: ASP.NET
X-UA-Compatible: IE=Edge,chrome=1
Date: Sun, 06 Jul 2014 10:07:37 GMT
Connection: close

这个响应的头部信息可以使用 web.config的 <system.webServer> 节点下通过设置customHeaders进行移除:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
  </customHeaders>
</httpProtocol>

参考:
1.Remove IIS Server version HTTP Response Header