Is it possible to remove information from Server E

2019-05-14 12:22发布

问题:

In order to better hide information from users, I'm trying to remove the Version information section from the standard ASP.NET error screen.

Custom errors are on, but, under certain circumstances, if you manage to get an error outside of your control (server issues perhaps?) then you can get through to the YSOD. I've tried changing the web.config to include the httpruntime setting where you can set enableVersionHeader to false but the version information still comes through.

Also, in the Application_PreSendRequestHeaders method, I've tried to remove "X-AspNet-Version" from the response headers but that header doesn't exist due to the web.config setting.

Is what I want even possible within this context or will that information always exist?

回答1:

To hide .NET version information from .NET error pages (not generic IIS errors like 403, 404 etc.), use empty element without defaultRedirect attribute:

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly"/>
    </system.web>
</configuration>

Before:

After:

To remove X-AspNet-Version HTTP response header, set the enableVersionHeader to False on httpRuntime element:

<configuration>
    <system.web>
        <httpRuntime enableVersionHeader="False"/>
    </system.web>
</configuration>


回答2:

In IIS this problem can be resolve changing "HTTP Response Headers" configuration


To remove X-AspNet-Version, in the web.config find/create <system.web> and add:

  <system.web>
    <httpRuntime enableVersionHeader="false" />

    ...

To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:

  protected void Application_Start()
  {
      MvcHandler.DisableMvcResponseHeader = true;
  }

To remove X-Powered-By, in the web.config find/create <system.webServer> and add:

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
      </customHeaders>
    </httpProtocol>

    ...


回答3:

The problem could be that IIS is rendering the error page instead of ASP.NET. Try changing the system.webServer section of your web.config like this:

<system.webServer>
  <httpErrors errorMode="Custom" existingResponse="Replace">
    <remove statusCode="500" subStatusCode="-1" />
    <error statusCode="500" subStatusCode="-1" responseMode="ExecuteURL" path="/500.aspx" />
  </httpErrors>
</system.webServer>

Also, check you IIS settings, that's probably where the X-AspNet-Version header is being set.