安全选项 | 配置点 |
屏蔽 OPTIONS, TRACE Http响应 |
<system.webServer> <security> <requestFiltering> <verbsallowUnlisted="true"> <addverb="OPTIONS"allowed="false"/> <addverb="TRACE"allowed="false"/> </verbs> </requestFiltering> </security> </system.webServer> |
添加安全头标识 | <system.webServer> <httpProtocol> <customHeaders> <addname="X-Frame-Options"value="SAMEORIGIN" /> <addname="X-XSS-Protection"value="1; mode=block" /> <addname="X-Content-Type-Options"value="nosniff" /> <addname="Strict-Transport-Security"value="max-age=31536000; includeSubDomains" /> <removename="X-Powered-By" /> <addname="Cache-Control"value="no-cache, no-store" /> <addname="Pragma"value="no-cache" /> </customHeaders> </httpProtocol> </system.webServer>
|
关闭IIS Server版本 ; 需要安装IIS插件 URLRewrite才生效 | <system.webServer> <rewrite> <outboundRules> <rulename="replace server header"patternSyntax="Wildcard"> <matchserverVariable="RESPONSE_SERVER"pattern="*"/> <actiontype="Rewrite"value=""/> </rule> </outboundRules> </rewrite>
</system.webServer> |
将目录访问的无权403错误都转成 404 页面 | <system.webServer> <handlers> <addname="StopDirectoryBrowsing"path="*."resourceType="Directory"verb="*" preCondition="integratedMode"type="System.Web.HttpNotFoundHandler" /> </handlers> </system.webServer> 或 <system.webServer> <httpErrorserrorMode="Custom"> <removestatusCode="403" /> <errorstatusCode="403"path="ErrorPage.html"responseMode="ExecuteURL" /> </httpErrors> </system.webServer>
|
关闭ASP.Net版本号 | <system.web> <httpRuntime enableVersionHeader="false" > </system.web> |
加密Viewstatus
| <system.web> <machineKeyvalidation="AES" /> </system.web> |
任何时候避免出现服务器错误,打开自定义的出错页面,所有出错跳转到一个自定义的错误 | <customErrorsmode="On"defaultRedirect="customerErr.html"/> |
Jquery-1.8.0.js 有安全问题 | 更新更高版本的jQuery 库 |
提交内容有明文传递 | 需要改为Https://才能解决 |
Weak SSL Cipher | 关闭弱安全协议SSL2.0,SSL3.0 用工具IISCrypto.exe |
.Net IIS 常用安全漏洞设置
最新推荐文章于 2024-08-07 21:20:24 发布