前言
隐藏响应头Server的原因:
Server的参数会暴露服务的启动方式和使用的语言,导致系统不安全
一、Django删除响应头的Server
windows
进入源码文件lib/wsgiref/handlers.py,或者导入包from wsgiref import handlers。修改如下代码
def send_preamble(self):
"""Transmit version/status/date/server, via self._write()"""
if self.origin_server:
if self.client_is_modern():
self._write(('HTTP/%s %s\r\n' % (self.http_version,self.status)).encode('iso-8859-1'))
if 'Date' not in self.headers:
self._write(
('Date: %s\r\n' % format_date_time(time.time())).encode('iso-8859-1')
)
if self.server_software and 'Server' not in self.headers:
pass # 添加pass
# self._write(('Server: %s\r\n' % self.server_software).encode('iso-8859-1')) # 将这句注释
else:
self._write(('Status: %s\r\n' % self.status).encode('iso-8859-1'))
Linux
直接编辑/root/lib/python3.6/site-packages/wsgiref/handlers.py文件
如果python路径不一样,使用一下步骤查看python包存放的环境,然后找到对应包进行修改,后面的框架在Linux的找包都可以使用该方式
[root@test]# python3.6 >>> import sys >>> print(sys.path) >>> ['', '/root/lib/python36.zip', '/root/lib/python3.6', '/root/lib/python3.6/lib-dynload', '/root/lib/python3.6/site-packages']
- 修改/root/lib/python3.6/site-packages/wsgiref/handlers.py文件中的代码,同Windows
vim编辑其中,在命令模式下使用 /查找内容 ,可查找内容
二、Tornado删除响应头的Server
windows
经查看源码发现是在
虚拟环境第三方包路径/torando/web.py
文件中RequestHandlerlei
类(或者导from tornado.web import RequestHandler
包进RequestHandler
类)在clear
方法中,注释代码 “Server”: “TornadoServer/%s” % tornado.version,如下:def clear(self) -> None: """Resets all headers and content for this response.""" self._headers = httputil.HTTPHeaders( { # "Server": "TornadoServer/%s" % tornado.version, # 注释 "Content-Type": "text/html; charset=UTF-8", "Date": httputil.format_timestamp(time.time()), } ) self.set_default_headers() self._write_buffer = [] # type: List[bytes] self._status_code = 200 self._reason = httputil.responses[200]
Linux
- 进入/root/lib64/python3.6/site-packages/tornado/ 注意是lib64目录 然后编辑 web.py文件
- 修改代码同Windows
三、Flask删除响应头的Server
Windows
导入包 from werkzeug import serving ,进入serving.py文件修改代码如下:
def run_wsgi(self): if self.headers.get("Expect", "").lower().strip() == "100-continue": self.wfile.write(b"HTTP/1.1 100 Continue\r\n\r\n") self.environ = environ = self.make_environ() headers_set = [] headers_sent = [] def write(data): assert headers_set, "write() before start_response" if not headers_sent: status, response_headers = headers_sent[:] = headers_set try: code, msg = status.split(None, 1) except ValueError: code, msg = status, "" code = int(code) self.send_response(code, msg) header_keys = set() for key, value in response_headers: if key == "Server": # 添加 continue # 添加 self.send_header(key, value) key = key.lower() header_keys.add(key) if not ( "content-length" in header_keys or environ["REQUEST_METHOD"] == "HEAD" or code < 200 or code in (204, 304) ): self.close_connection = True self.send_header("Connection", "close") # if "server" not in header_keys: # 注释 # self.send_header("Server", self.version_string()) # 注释 if "date" not in header_keys: self.send_header("Date", self.date_time_string()) self.end_headers() assert isinstance(data, bytes), "applications must write bytes" self.wfile.write(data) self.wfile.flush()
Linux
编辑 /root/lib64/python3.6/site-packages/werkzug/serving.py 文件,修改代码同Windows
四、FastAPI删除响应头的Server
FaskAPI框架因为是uvicorn服务启动的所以需要在uveicorn的服务源码里面进行修改
Windows
导入 from uvicorn import server,进入server.py文件,注释 “+ self.config.encoded_headers” ,修改代码如下:
async def on_tick(self, counter) -> bool: # Update the default headers, once per second. if counter % 10 == 0: current_time = time.time() current_date = formatdate(current_time, usegmt=True).encode() self.server_state.default_headers = [ (b"date", current_date) ] # + self.config.encoded_headers # 注释
以上是直接隐藏server参数,如果需要修改,操作如下:
- 导入from uvicorn import config,进入config.py,修改代码如下:
def load(self): assert not self.loaded if self.is_ssl: self.ssl = create_ssl_context( keyfile=self.ssl_keyfile, certfile=self.ssl_certfile, password=self.ssl_keyfile_password, ssl_version=self.ssl_version, cert_reqs=self.ssl_cert_reqs, ca_certs=self.ssl_ca_certs, ciphers=self.ssl_ciphers, ) else: self.ssl = None encoded_headers = [ (key.lower().encode("latin1"), value.encode("latin1")) for key, value in self.headers ] self.encoded_headers = ( encoded_headers if b"server" in dict(encoded_headers) # else [(b"server", b"uvicorn")] + encoded_headers else [(b"server", b"123456")] + encoded_headers # 修改 ) # type: List[Tuple[bytes, bytes]] ...
Linux
修改 /root/lib64/python3.6/site-packages/uvicorn/server .py和 /root/lib64/python3.6/site-packages/uvicorn/config.py文件,修改代码同Windows