web analytics

Security Headers in ASP.NET

Options

codeling 1524 - 6369
@2021-08-03 08:58:30

In an ASP.NET web application, the IIS responses by default include detailed technical information on the server, and the ASP.NET version and MVC version. Some headers are not necessary for production sites and should be disabled.

  • Server
  • X-AspNet-Version
  • X-AspNetMvc-Version
  • X-Powered-By

Also We should now add additional security headers that harden the security of the application. Those additional security headers are as follows. 

  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy
  • X-Permitted-Cross-Domain-Policies
  • Referrer-Policy
@2021-08-03 08:59:35

X-Frame-Options

The X-Frame-Options header ensure that hackers don't iframe your site, in order to trick you into clicking links which you never intended to. If you are using ASP.NET MVC 5 or newer, this header is added automatically. Adding the header in previous versions or other web frameworks is easy using web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="DENY" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

 

In this example, I deny any possibility of iframing the website. If you are using iframes on the same domain, you can change the value to SAMEORIGIN.

@2021-08-03 21:37:49

X-Content-Type-Options

To avoid MIME type sniffing, you can add the X-Content-Type-Options header. This makes it harder for hackers to guess the right mime type, by inspecting the content. Adding the header is easily done through web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Content-Type-Options" value="nosniff" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

@2021-08-03 21:40:31

X-Xss-Protection

The X-Xss-Protection is a feature implemented in most modern browser, which will stop loading the page when a cross-site scripting attack is detected. Adding the header happens through web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Xss-Protection" value="1; mode=block" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

The value if 1 simply marks the protection as enabled.

Comments

You must Sign In to comment on this topic.


© 2021 Digcode.com