我放置了自定义错误页面,并放置了动词阻止功能,仅允许GET和POST。 但是,当我尝试其他方法(DELETE,OPTION,TRACE)时,它没有重定向到自定义错误页面,也是公开服务器版本。 HTTP 200中未公开服务器版本。
错误页面处理-:
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="Redirect" >
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="404" path="sspERR.aspx" responseMode="Redirect"/>
<error statusCode="500" path="sspERR.aspx" responseMode="Redirect"/>
</httpErrors>
规则
<httpErrors errorMode="Custom" existingResponse="Auto" defaultResponseMode="Redirect" >
<remove statusCode="500" subStatusCode="-1" />
<error statusCode="404" path="sspERR.aspx" responseMode="Redirect"/>
<error statusCode="500" path="sspERR.aspx" responseMode="Redirect"/>
</httpErrors>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<clear/>
<add verb="GET" allowed="true"/>
<add verb="POST" allowed="true"/>
</verbs>
</requestFiltering>
</security>
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove RESPONSE_Server" >
<match serverVariable="RESPONSE_Server" pattern=".+"/>
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<modules runAllManagedmodulesForAllRequests="true" />
Global.asax文件-:
protected void Application_PreSendRequestHeaders(object sender,EventArgs
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}