web analytics

Security Headers in ASP.NET

@2021-08-04 20:18:06


The Permissions-Policy header (formerly known as Feature-Policy), is a recent addition to the range of security-related headers. When specifying the header, you tell the browser which features your site uses or not. This is a great feature, especially if you embed other websites. To add the header, make the following change in web.config:

      <add name="Permissions-Policy" value="accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" />

Here, we tell the browser that our site shouldn't allow use of the accelerometer, camera, and more. Which features you need to add, totally depend on your site. For more information, check out the specification.

@2021-08-04 20:26:01


The HTTP X-AspNet-Version response header is used by Visual Studio to determine which version of ASP.NET is in use. It is not necessary for production sites and should be disabled. In the httpRuntime section of the web.config, set:

<httpRuntime enableVersionHeader="false" />
@2021-08-04 20:27:31


ASP.NET also reveals the server hosting the application. If a hacker know that you are using IIS, this narrows the number of weaknesses that he/she needs to try. To remove the Server header, remove it from code in either a filter or through Global.asax.cs:

protected void Application_BeginRequest(object sender, EventArgs e)

 var app = sender as HttpApplication;
 if (app != null && app.Context != null) {


protected void Application_PreSendRequestHeaders()
    if (HttpContext.Current != null)

@2021-08-04 20:36:31


Open the Global.asax.cs file, find the event Application_Start event and add the following line at the end of the code.

protected void Application_Start()
    //some code
    MvcHandler.DisableMvcResponseHeader = true; //this line is to hide mvc header


You must Sign In to comment on this topic.

© 2022 Digcode.com