How to remove Allow header from Http Response?

2019-09-20 17:21发布

I have API which is valid for POST/GET/PUT verb but if hacker intercepts the request and change method to 'OPTIONS' instead of 'GET', he will get below error in http response -

Allow: GET,POST,PUT { "Message": "The requested resource does not support http method 'OPTIONS'." }

This allows hacker to identify what verbs supported by API. I have to restrict this header in response.

I tried removing 'WebDav' module but it still showing same message. I don't want hacker to see this message and Allow header.

标签： azure http iis asp.net-web-api2 webdav

1条回答

我想做一个坏孩纸

2楼-- · 2019-09-20 17:38

According to your requirement, I assumed that you could specific the supported verbs in Web.config file as follows:

<system.webServer>
  <security>
    <requestFiltering>
      <verbs allowUnlisted="false">
        <add verb="GET" allowed="true" />
        <add verb="POST" allowed="true" />
        <add verb="PUT" allowed="true" />                
      </verbs>
    </requestFiltering>
  </security>
</system.webServer>

If the client trys to access your Api with other verbs, it would receive the 404 status code. Additionally, you'd better enable authentication in your Web API for better security consideration.

0人赞添加讨论(0) 举报

How to remove Allow header from Http Response?

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间