5

因为我们保护 .PDF 文件免受匿名用户的攻击,所以我们有一个自定义处理程序,所以我们有一个条目

我们还对 http 标头进行了更改,以通过 IIS 7 管理添加“缓存控制:无缓存,无存储”,该管理在 system.webserver 元素下创建 web.config 条目,如下所示:

<httpProtocol>

  <customHeaders>
    <clear />
    <add name="cache-control" value="no-cache,no-store" />
  </customHeaders>

</httpProtocol>

当我在 burpsuite 会话中查看响应标头时,我看到 .aspx 页面:cache-control: no-store,no-cache,no-store

但对于 PDF 页面:

缓存控制:私有,无缓存,无存储

我的目标是让一切都“无缓存,无存储”。我不确定我错过了什么。web.config 中没有其他缓存设置。请告知如何从 PDF 页面中删除“private”以及从其他所有页面中删除额外的 no-store。其他通过 System.Web.StaticFileHandler 的静态页面,它们也有“no-store,no-cache,no-store”。

4

2 回答 2

4

Although this post is now a few years old, I thought I would share my solution that may save someone hours of head-scratching.

I have an MVC 4 site setup using IIS, and my aim was to have IIS add headers to certain files (defined by location), by using the <customHeaders> section. The 'cache-control' values I had in the <customHeaders> section were being appended to the end of 'cache-control: private', magically being added by IIS.

This was because of the runAllManagedModulesForAllRequests setting in my web.config being set to true

<system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
    </modules>
</system.webServer>

This setting was causing one of the IIS Modules (I don't know which) to append the 'cache-control' header to every file being requested from IIS.

So the solution is to set this to false, and manage each of your modules seperatley using the preCondition attribute on each.

The runAllManagedModulesForAllRequests setting was required by earlier versions of MVC because extensionless routing would not work without it. This has since been fixed, more details here

http://blogs.msdn.com/b/tmarq/archive/2010/04/01/asp-net-4-0-enables-routing-of-extensionless-urls-without-impacting-static-requests.aspx

Useful reading on the use of runAllManagedModulesForAllRequests

http://weblog.west-wind.com/posts/2012/Oct/25/Caveats-with-the-runAllManagedModulesForAllRequests-in-IIS-78

于 2015-02-05T15:54:28.837 回答
0

我无法告诉您为什么 IIS 7 将“私有”添加到缓存控件中,但我可以向您展示我如何在我自己的基于 ASHX 的直通代理中摆脱它(请参阅原始帖子下方的第 1 条评论) .

public class proxy : IHttpHandler
{
    public void ProcessRequest(HttpContext context)
    {
        HttpResponse response = context.Response;

        // Remove the 'private' string value from the response.CacheControl member
        if (response.CacheControl == "private")
        {
            response.CacheControl = String.Empty;
        }

        // Do other stuff
    }
}

如果您在 Visual Studio 中使用内置的 Cassini Web 开发服务器,这将不起作用。要弄乱标头,您需要在开发环境中切换到成熟的 IIS Web 服务器。

于 2012-06-26T20:33:29.387 回答