Security Headers in ASP.NET

In an ASP.NET web application, the IIS responses by default include detailed technical information on the server, and the ASP.NET version and MVC version. Some headers are not necessary for production sites and should be disabled.

• Server
• X-AspNet-Version
• X-AspNetMvc-Version
• X-Powered-By

Also We should now add additional security headers that harden the security of the application. Those additional security headers are as follows. 

• X-Frame-Options
• X-XSS-Protection
• X-Content-Type-Options
• Content-Security-Policy
• X-Permitted-Cross-Domain-Policies
• Referrer-Policy

X-Frame-Options

The X-Frame-Options header ensure that hackers don't iframe your site, in order to trick you into clicking links which you never intended to. If you are using ASP.NET MVC 5 or newer, this header is added automatically. Adding the header in previous versions or other web frameworks is easy using web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="DENY" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

In this example, I deny any possibility of iframing the website. If you are using iframes on the same domain, you can change the value to SAMEORIGIN.

X-Xss-Protection

The X-Xss-Protection is a feature implemented in most modern browser, which will stop loading the page when a cross-site scripting attack is detected. Adding the header happens through web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Xss-Protection" value="1; mode=block" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

The value if 1 simply marks the protection as enabled.