How to Remove X-Powered-By header using web config - html

Hello i'm trying to remove X-Powered-By header by using my web.config.
This is my web.config file so far,
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Rule" stopProcessing="true">
<match url="^(.*)$" ignoreCase="false" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
<add input="{URL}" pattern="^/favicon.ico$" ignoreCase="false" negate="true" />
</conditions>
<action type="Rewrite" url="index.php/{R:1}" appendQueryString="true" />
</rule>
</rules>
</rewrite>
<httpProtocol>
<customHeaders>
<clear />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
But once I check, it still showing me the x-powered-by....

<httpProtocol>
<customHeaders>
<remove name="X-Powered-By"/>
</customHeaders>
</httpProtocol>
See here for different options: https://blog.insiderattack.net/configuring-secure-iis-response-headers-in-asp-net-mvc-b38369030728

Try putting this at the top your index.php file:
header_remove("X-Powered-By");
http://php.net/manual/en/function.header-remove.php

Related

Add Exception To URL Rewrite And IIS Server

I have my first IIS Server set up and running. And I have successfully configured the URL Rewrite add on. It works perfectly for all incoming requests. How ever I want to exclude one additional website that runs on the same IIS server. Can someone teach me how to do this?
web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="^(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
<serverVariables>
<set name="HTTP_REFERER" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
<action type="Rewrite" url="http://working.backendserver:4588/{R:1}" />
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Base, Form, Img" pattern="^http(s)?://working.backendserver:4588/(.*)" />
<action type="Rewrite" value="http{R:1}://working.inbound.url.com/{R:2}" />
</rule>
<rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
<match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
<action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
<preCondition name="NeedsRestoringAcceptEncoding">
<add input="{RESPONSE_CONTENT_TYPE}" pattern=".+" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
enter code here

How to force site to use https only

I'm tryin to force my website to only accept https, by adding the following to my webconfig:
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
This works, if you load the site using http it now re-directs the site to https, but every time I try to go to a different page or submit a form I get a:
405 - HTTP verb used to access this page is not allowed.
This currentle my webconfi:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="PW_BADPOST" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{REQUEST_METHOD}" matchType="Pattern" pattern="POST" ignoreCase="true" />
<add input="{HTTP_REFERER}" pattern=".*\/wp-admin.*" />
</conditions>
<action type="CustomResponse" statusCode="404"/>
</rule>
<rule name="PW_BadURL" stopProcessing="true">
<match url="^(.*)$" />
<conditions logicalGrouping="MatchAny">
<add input="{REQUEST_URI}" pattern="\.php" />
<add input="{REQUEST_URI}" pattern="die\(" />
<add input="{REQUEST_URI}" pattern="connector\.asp" />
</conditions>
<action type="CustomResponse" statusCode="404"/>
</rule>
<!-- directories to ignore -->
<rule name="PW_IgnoreDir" stopProcessing="true">
<match url="^(css|img|images|js|tools)\/(.*)$" ignoreCase="true" />
<action type="None" />
</rule>
<!-- Pages -->
<rule name="PW_Pages" stopProcessing="true">
<match url="^(.*)$" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<action type="Rewrite" url="index.php?{R:1}" />
</rule>
</rules>
</rewrite>
<directoryBrowse enabled="false" />
</system.webServer>
</configuration>

Angular universal web config file with ssl and www redirecting

I have a little problem with the web.config file of my angular universal project. My web.config file is like this;
<configuration>
<system.webServer>
<!-- indicates that the server.js file is a node.js application
to be handled by the iisnode module -->
<handlers>
<add name="iisnode" path="main.js" verb="*" modules="iisnode" />
</handlers>
<rewrite>
<rules>
<rule name="sendToNode">
<match url="/*" />
<action type="Rewrite" url="main.js" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
We are trying to add a www redirecting when there is no www written into link and a https redirecting when there is no https written in the url. But we couldnt manage to do this.
Should I need to do something from the Angular for this?
How can we add those two redirectings into our angular universal web config?
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="DENY" />
<add name="X-XSS-Protection" value="1; mode=block" />
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
<webSocket enabled="false" />
<handlers>
<!-- Indicates that the main.js file is a node.js site to be handled by the iisnode module -->
<add name="iisnode" path="main.js" verb="*" modules="iisnode"/>
</handlers>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent"/>
</rule>
<!-- Do not interfere with requests for node-inspector debugging -->
<rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
<match url="^main.js\/debug[\/]?" />
</rule>
<!-- All other URLs are mapped to the node.js site entry point -->
<rule name="DynamicContent">
<match url="^(?!.*login).*$"></match>
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/>
</conditions>
<action type="Rewrite" url="main.js"/>
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
<!-- 'bin' directory has no special meaning in node.js and apps can be placed in it -->
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin"/>
</hiddenSegments>
</requestFiltering>
</security>
<!-- Make sure error responses are left untouched -->
<httpErrors existingResponse="PassThrough" />
<!-- Restart the server if any of these files change -->
<iisnode watchedFiles="web.config;*.js;browser/*.*" />
</system.webServer>
</configuration>

hide/remove url extension in windows servers

I read that .htaccess doesn't work on windows server like godaddy. So to hide or remove extensions like .php and .html on URL, you can accomplish this by creating a web.config file with the following code:
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="RewriteHTML">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions> <action type="Rewrite" url="{R:1}.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
I tried to make web.config file and save it where index.php is with that code but nothing happened.. I tested it with the like this
<ul>
<li>
Attack on Titan Episode 3
</li>
</ul> with a href of "attackontitan-3"
I want url to be http://mysite/watching/attack%20on%20titan/attackontitan-3 not http://mysite/watching/attack%20on%20titan/attackontitan-3.php
Use rewrite to add the extension, like this:
<rule name="rewritephp">
<!--Removes the .aspx extension for all pages.-->
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}.php" />
</rule>
Or This tutorial does a great job at explaining what you need to do with IIS.
http://atlantawebsites.blogspot.com/2010/06/vanity-urls-with-godaddy-hosting-using.html
You need to add a Rewrite and Redirect rules. The following will redirect and rewrite page.php to just page. If you want to do the same for html, just add those rules.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<!-- Remove the existing rules just incase we already defined them -->
<remove name="RedirectPhpExtensions" />
<remove name="RewritePhpExtensions" />
<!-- Add a rule to redirect x.php pages to just x -->
<rule name="RedirectPhpExtensions" enabled="true" stopProcessing="true">
<match url="(.*)\.php$" />
<action type="Redirect" url="{R:1}" redirectType="Permanent" />
</rule>
<!-- Add a rule to rewrite the x pages to x.php behind the scene -->
<rule name="RewritePhpExtensions" enabled="true" stopProcessing="true">
<match url="(.*)" negate="false" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="{R:1}.php" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Place this web.config in the root directory of your domain.
Then you need to restart the Application Pool on godaddy's site:
Web Hosting > Manage > IIS Management > Recycle App Pool button

How to add multiple URL rewrite rules in a web.config

How to add multiple URL rewrite rules in a web.config
I want to match any url that contains "sales" and "registrationsuccess".
I get errors with when I try the following:
<rewrite>
<rules>
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="(.*sales*)"/>
<match url="(.*registrationsuccess*)"/>
<conditions>
<add input="{HTTPS}" pattern="^OFF$"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther"/>
</rule>
</rules>
</rewrite>
This is how you add more than one rule:
<rewrite>
<rules>
<rule name="Redirect HTTP to HTTPS (Sales)" stopProcessing="true">
<match url="(.*sales*)"/>
<conditions>
<add input="{HTTPS}" pattern="^OFF$"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther"/>
</rule>
<rule name="Redirect HTTP to HTTPS (RegistrationSucces)" stopProcessing="true">
<match url="(.*registrationsuccess*)"/>
<conditions>
<add input="{HTTPS}" pattern="^OFF$"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther"/>
</rule>
</rules>
</rewrite>
But for what you're trying to do, you can do it with one rule, like below:
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="ON" />
<add input="{PATH_INFO}" pattern="^(.*)/sales/(.*)" />
<add input="{PATH_INFO}" pattern="^(.*)/registrationsuccess/(.*)" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>