Add security headers to help protection from injection attacks in c# asp.net
Adding and removing headers during Application_BeginRequest always leads to headaches with your server complaining about not being able to do things after headers are set.
Typically "X-AspNet-Version" and "X-AspNetMvc-Version" are IIS custom headers and removing them depends on the verion of IIS you are using.
With new versions of IIS you can set it in Web.Config:
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
In older version you need to use IIS manager (see https://www.google.com/search?q=iis+remove++X-AspNet-Version&ie=utf-8&oe=utf-8):
You can remove the MVC header in app_start in Global.asax
MvcHandler.DisableMvcResponseHeader = true;
Your web.config should work fine:
<add name="X-Frame-Options" value="DENY"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff "/>
If not, Application_PreSendRequestHeaders is an appropriate place to add or remove headers well.
HttpContext.Current.Response.Headers.Add("X-Frame-Options", "DENY");
HttpContext.Current.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
HttpContext.Current.Response.Headers.Add("X-Content-Type-Options", "nosniff");
HttpContext.Current.Response.Headers.Remove("Server");
You can use the web developer console on your web browser (usually opened by hitting F12) and click on the network tab to see what headers the server is sending.
user3660473
Updated on June 19, 2022Comments
-
user3660473 almost 2 years
I have a C# asp.net application.It was sent to security assessment and below were the risks.
-Missing "Content-Security-Policy" header -Missing "X-Content-Type-Options" header -Missing "X-XSS-Protection" header -It was observed that server banner is getting disclosed in HTTP response. -It was observed that service version is getting disclosed in HTTP response.I have the below code in the web.cofig file
<httpProtocol> <customHeaders> <remove name="X-Powered-By"/> <add name="X-Frame-Options" value="DENY"/> <add name="X-XSS-Protection" value="1; mode=block"/> <add name="X-Content-Type-Options" value="nosniff "/> </customHeaders> </httpProtocol>I thought this will add the headers. But the security team says the issue is not fixed. Is there any alternate for this.And for the Banner disclosure, I don't have access to server. can I fix this within the application. After research I found this: Inside Global.asax I have this code:
protected void Application_PreSendRequestHeaders() { // Response.Headers.Remove("Server"); Response.Headers.Set("Server", "My httpd server"); Response.Headers.Remove("X-AspNet-Version"); Response.Headers.Remove("X-AspNetMvc-Version"); } protected void Application_BeginRequest(object sender, EventArgs e) { var app = sender as HttpApplication; if (app != null && app.Context != null) { app.Context.Response.Headers.Remove("Server"); } }Is this the correct fix. Please help
-
user3660473 almost 7 yearswhen click on the network tab am not able to see the headers. Can u guide me through the steps please. It just starts recording. Am running from local
-
Alexander Higgins almost 7 yearsonce it starts recording hit refresh
-
Alexander Higgins almost 7 yearsOr just pop your url into an online header view: web-sniffer.net
