本文主要介绍如何优化ASP.NET MVC使用IIS时Response Header中的不必要的信息
默认的,创建一个ASP.NET MVC项目,会在Response Header中包含一些敏感的信息,这些信息是没有什么用处的但是会暴露出IIS的配置信息等。
下面是默认的Response Header信息:
Cache-Control:private, s-maxage=0 Content-Encoding:gzip Content-Length:8024 Content-Type:text/html; charset=utf-8 Date:Fri, 30 Sep 2016 03:17:10 GMT Server:Microsoft-IIS/10.0 Vary:Accept-Encoding X-AspNet-Version:4.0.30319 X-AspNetMvc-Version:5.2 X-Frame-Options:SAMEORIGIN X-Powered-By:ASP.NET X-SourceFiles:=?UTF-8?B?RDpcV29ya1wyMDE2XE56TmQuSWRlbnRpdHlcR0xELldlYlxTdXBlclxVc2Vycw==?=
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
以上内容中,红色部分并不是必须输出的信息,相反会暴露服务器的一些配置信息等,以下逐一介绍如何移除不需要的输出信息:
- X-AspNetMvc-Version
打开Global.asax.cs ,在Application_Start方法中,添加如下代码:
MvcHandler.DisableMvcResponseHeader = true;.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
- Server
同样在Global.asax.cs 中,添加如下代码
protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { HttpApplication app = sender as HttpApplication; if (app != null && app.Context != null) { app.Context.Response.Headers.Remove("Server"); } }
- X-AspNet-Version
在Web.config文件中找到system.web节点,添加如下配置:
<httpRuntime enableVersionHeader="false" />.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
- X-Powered-By
在Web.Config文件中找到system.webservice,添加如下配置:
<httpProtocol> <customHeaders> <remove name="X-Powered-By" /> </customHeaders> </httpProtocol>.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
OK,做完上面的操作,编译后打开,F12中可以看到,Response Header内容如下:
Cache-Control:private, s-maxage=0 Content-Encoding:gzip Content-Length:8018 Content-Type:text/html; charset=utf-8 Date:Fri, 30 Sep 2016 02:35:39 GMT Vary:Accept-Encoding X-Frame-Options:SAMEORIGIN X-SourceFiles:=?UTF-8?B?RDpcV29ya1wyMDE2XE56TmQuSWRlbnRpdHlcR0xELldlYlxTdXBlclxVc2Vycw==?=.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }
不必要的信息已经被去掉了。清爽很多!