Add security headers to help protection from injection attacks in c# asp.net
Adding and removing headers during Application_BeginRequest
always leads to headaches with your server complaining about not being able to do things after headers are set.
Typically "X-AspNet-Version" and "X-AspNetMvc-Version" are IIS custom headers and removing them depends on the verion of IIS you are using.
With new versions of IIS you can set it in Web.Config:
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
In older version you need to use IIS manager (see https://www.google.com/search?q=iis+remove++X-AspNet-Version&ie=utf-8&oe=utf-8):
You can remove the MVC header in app_start in Global.asax
MvcHandler.DisableMvcResponseHeader = true;
Your web.config should work fine:
<add name="X-Frame-Options" value="DENY"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff "/>
If not, Application_PreSendRequestHeaders is an appropriate place to add or remove headers well.
HttpContext.Current.Response.Headers.Add("X-Frame-Options", "DENY");
HttpContext.Current.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
HttpContext.Current.Response.Headers.Add("X-Content-Type-Options", "nosniff");
HttpContext.Current.Response.Headers.Remove("Server");
You can use the web developer console on your web browser (usually opened by hitting F12
) and click on the network tab to see what headers the server is sending.
user3660473
Updated on June 19, 2022Comments
-
user3660473 almost 2 years
I have a C# asp.net application.It was sent to security assessment and below were the risks.
-Missing "Content-Security-Policy" header -Missing "X-Content-Type-Options" header -Missing "X-XSS-Protection" header -It was observed that server banner is getting disclosed in HTTP response. -It was observed that service version is getting disclosed in HTTP response.
I have the below code in the web.cofig file
<httpProtocol> <customHeaders> <remove name="X-Powered-By"/> <add name="X-Frame-Options" value="DENY"/> <add name="X-XSS-Protection" value="1; mode=block"/> <add name="X-Content-Type-Options" value="nosniff "/> </customHeaders> </httpProtocol>
I thought this will add the headers. But the security team says the issue is not fixed. Is there any alternate for this.And for the Banner disclosure, I don't have access to server. can I fix this within the application. After research I found this: Inside Global.asax I have this code:
protected void Application_PreSendRequestHeaders() { // Response.Headers.Remove("Server"); Response.Headers.Set("Server", "My httpd server"); Response.Headers.Remove("X-AspNet-Version"); Response.Headers.Remove("X-AspNetMvc-Version"); } protected void Application_BeginRequest(object sender, EventArgs e) { var app = sender as HttpApplication; if (app != null && app.Context != null) { app.Context.Response.Headers.Remove("Server"); } }
Is this the correct fix. Please help
-
user3660473 almost 7 yearswhen click on the network tab am not able to see the headers. Can u guide me through the steps please. It just starts recording. Am running from local
-
Alexander Higgins almost 7 yearsonce it starts recording hit refresh
-
Alexander Higgins almost 7 yearsOr just pop your url into an online header view: web-sniffer.net