问题描述
我有一个对POST / GET / PUT动词有效的API,但如果黑客拦截请求并将方法更改为'OPTIONS'而不是'GET',他将在http响应中得到以下错误 -
I have API which is valid for POST/GET/PUT verb but if hacker intercepts the request and change method to 'OPTIONS' instead of 'GET', he will get below error in http response -
允许:GET,POST,PUT
{
消息:请求的资源不支持http方法'OPTIONS'。
}
Allow: GET,POST,PUT{"Message": "The requested resource does not support http method 'OPTIONS'."}
这允许黑客识别API支持的动词。我必须限制此标头作为回应。
This allows hacker to identify what verbs supported by API. I have to restrict this header in response.
我尝试删除'WebDav'模块,但它仍然显示相同的消息。我不希望黑客看到此消息和允许标头。
I tried removing 'WebDav' module but it still showing same message. I don't want hacker to see this message and Allow header.
推荐答案
根据您的要求,我假设您可以在 Web.config 文件如下:
According to your requirement, I assumed that you could specific the supported verbs in Web.config
file as follows:
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
<add verb="POST" allowed="true" />
<add verb="PUT" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
如果客户试图用其他动词访问你的Api,它将收到404状态代码。此外,您最好在Web API中启用身份验证,以便更好地考虑安全性。
If the client trys to access your Api with other verbs, it would receive the 404 status code. Additionally, you'd better enable authentication in your Web API for better security consideration.
这篇关于如何从Http Response中删除Allow标头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!