Why does removeServerHeader work in an Azure Web App?

2018-07-01 15:18:32

As mentioned in other SO questions Windows Azure Web Apps are running on IIS/8.0, but I have some doubt if that is actually true.

First of all, when I check the HTTP response from a web app running on the Azure Web Apps free tier I can see the following HTTP header:

Server:Microsoft-IIS/8.0

However, according to this documentation and to some local testing on my machine I know that requestFiltering removeServerHeader is not supported in IIS 8.0.

eg:

<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

It is a feature which has been added with IIS 10.0 and I can confirm this by running some more tests on a Windows 10 VM with IIS 10.0.

Interestingly this setting also works on my Azure Web App , which supposedly runs on IIS 8.0, so my question is what version of IIS is Azure Web Apps actually running on?

EDIT: From all the comments below it seems that Azure Web Apps run on IIS 8.0, so I re-phrase my question to: How come the removeServerHeader works in an Azure Web App when they run on IIS 8.0?

各种资源显示，Azure网站运行IIS的任何Windows版本都不具备的定制版本。

Your web job runs in the same environment as the associated website. To get detailed information about the site and it's environment use Kudu. You can access it by browsing to the URL:

{yoursite}.scm.azurewebsites.net

Then select the environment tab at the top.

在这里输入图像描述

A blog post from Microsoft in 2013 states:

Our customers asked us to allow these headers to be disabled on Azure Web Sites, and so with the recent release of Windows Azure Web Sites, we have enabled this to be done.

It then goes on to give an example of using removeServerHeader and says it's part of the Request Filtering module:

The removal of these headers is facilitated with the Request Filtering module...

Interestingly their documentation for IIS 10 Request Filtering confirms that the removeServerHeader attribute was added to IIS 10 as you have found out.

New in IIS 10.0

IIS 10.0 added the removeServerHeader attribute to suppress sending the HTTP server header to remote clients.

So I would say that the reason it works on Azure Web Sites is because Microsoft pushed this feature out to Azure Web Sites at the request of customers in 2013 - presumably as part of an Azure-specific version of the Request Filtering module. They have since integrated it as standard into the IIS 10 Request Filtering module.

链接地址: http://www.djcxy.com/p/88216.html

上一篇: 在运行时替换bean

下一篇: 为什么removeServerHeader在Azure Web App中工作？