Remove unnecessary http headers from ASP.NET
In connection with the latest initiatives of Google , the size of the web page and the speed of its loading have become relevant again. Download speed becomes one of the criteria for ranking search results. Much has already been written about GZip and Deflate compression, as well about server caching. Let's talk about the headlines.
So, your ASP.NET application, among others, sends the following headers to the client (values ​​may vary):
By removing these headers, we will “lighten” traffic for only 100 bytes for each request, but first , remember that these 100 bytes, multiplied by tens of thousands of requests to your server, will play a tangible role. Secondly , the absence of headers will complicate the lives of attackers, who will be deprived of information about your server version, ASP.NET version and platform in general.
Now to the point.
')
It's simple. It is enough to add a line to web.config:
If you are using the ASP.NET MVC framework, add this code to the Application_Start handler in the Global.asax file:
Run the IIS administration snap-in and go to the “service” tab in the website properties:
If you have IIS7, everything looks like:
It's more complicated. This header adds IIS itself, so you have to clean it with “hands” with a small hack, again in Global.asax, in the Application_PreSendRequestHeaders handler:
Unfortunately, this will only work with the Integrated Pipeline Mode setting enabled - read - “IIS7 only”. For IIS6 you will have to resort to the help of a free utility from Microsoft - UrlScan
So, your ASP.NET application, among others, sends the following headers to the client (values ​​may vary):
- Server : Microsoft-IIS / 6.0
- X-Powered-By : ASP.NET
- X-AspNet-Version : 2.0.50727
- (optional) X-AspNetMvc-Version : 1.0
By removing these headers, we will “lighten” traffic for only 100 bytes for each request, but first , remember that these 100 bytes, multiplied by tens of thousands of requests to your server, will play a tangible role. Secondly , the absence of headers will complicate the lives of attackers, who will be deprived of information about your server version, ASP.NET version and platform in general.
Now to the point.
')
Remove the X-AspNet-Version header.
It's simple. It is enough to add a line to web.config:
< httpRuntime enableVersionHeader ="false" />Remove the header X-AspNetMvc-Version
If you are using the ASP.NET MVC framework, add this code to the Application_Start handler in the Global.asax file:
MvcHandler.DisableMvcResponseHeader = true ;Remove the header X-Powered-By
Run the IIS administration snap-in and go to the “service” tab in the website properties:
If you have IIS7, everything looks like:
Remove the Server header
It's more complicated. This header adds IIS itself, so you have to clean it with “hands” with a small hack, again in Global.asax, in the Application_PreSendRequestHeaders handler:
//
HttpContext .Current.Response.Headers.Remove( "Server" );Unfortunately, this will only work with the Integrated Pipeline Mode setting enabled - read - “IIS7 only”. For IIS6 you will have to resort to the help of a free utility from Microsoft - UrlScan
Source: https://habr.com/ru/post/78213/
All Articles