SlideShare a Scribd company logo

Secure Application to Prevent HTTP Header Leaks in Asp.net

Download as DOCX, PDF
codeandyou forums
codeandyou forums

Secure Application to Prevent HTTP Header Leaks in Asp.net

Software
1 of 9
Secure Application to Prevent HTTP Header Leaks in Asp.net
Security is important factor in an application development. We use different techniques to secure our application like Network Security, Application Security, Database Security etc. The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. They provide different set of instruction to secure a web applications. OWASP suggested to add and remove some useful HTTP headers for secure your applications. https://www.owasp.org/index.php/List_of_useful_HTTP_headers Today we are removing following HTTP headers from our request. So, User can’t identity our web server and technology which we are using. Its default headers added by .Net framework to Response. With this user can identify our Web Server (IIS) Version, Asp.net Version, Asp.Net MVC Version etc.  Server  X-AspNet-Version  X-AspNetMvc-Version  X-Powered-By When you will call any API from REST Client. In Response You will see above HTTP Headers added by .Net framework. You can use any REST Client to test you API. We are using POSTMAN REST Client.
We have twowaysto remove HTTP Headers. Use Global.asax orUse Web.Configfile. 1. Remove Server,X-AspNet-VersionandX-AspNetMvc-Version- Use Global.asax’s Application_PreSendRequestHeaders eventtoremove HeadersfromHTTPResponse. protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { HttpApplication app = sender as HttpApplication; if (app != null && app.Context != null) { app.Context.Response.Headers.Remove("Server"); app.Context.Response.Headers.Remove("X-AspNet-Version"); app.Context.Response.Headers.Remove("X-AspNetMvc-Version"); } } 2. Remove X-Powered-By Header and Add some important security headers- Some custom headers are not available into Global.asax file. You need to use Web.Config file to remove and add these headers. <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> <add name="X-Frame-Options" value="DENY"></add> <add name="X-XSS-Protection" value="1; mode=block"></add> <add name="X-Content-Type-Options" value="nosniff "></add> </customHeaders> </httpProtocol> You can learn more about useful HTTP Header here - https://www.owasp.org/index.php/List_of_useful_HTTP_headers After implement you will see that Server,X-AspNet-Version,X-AspNetMvc-Version and X- Powered-By headers removed from Response.
Step By Step Example 1. Create MVC + Web API Project 2. Run Project
3. Add API Folder and create TestController 4. Use following code for TestController
5. Call API from REST Client 6. Check Header which showing arrow
7. Use following code into Global.asax to remove Server,X-AspNet-Version,X-AspNetMvc- Version HTTP Headers 8. Run code and check that Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers remove.
9. Now Use Following customer headers in Web.config to remove X-Powered-By HTTP Headers 10. Check X-Powered-By HTTP Header removed and added some useful other HTTP Headers
Thanks www.codeandyou.com http://www.codeandyou.com/2015/12/secure- application-to-prevent-http-header-leaks.html Keywords – Secure Application to Prevent HTTP Header Leaks Remove unwanted Header from Response Remove HTTP Headers Secure Asp.net Application

Recommended

Algorithmia at HackerNews Meetup Seattle
Algorithmia at HackerNews Meetup SeattleAlgorithmia at HackerNews Meetup Seattle
Algorithmia at HackerNews Meetup Seattledoppenhe
 
Introduction to deep learning
Introduction to deep learningIntroduction to deep learning
Introduction to deep learningdoppenhe
 
Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Diego Oppenheimer
 
How to validate server certificate
How to validate server certificateHow to validate server certificate
How to validate server certificatecodeandyou forums
 
How to call $scope function from console
How to call $scope function from consoleHow to call $scope function from console
How to call $scope function from consolecodeandyou forums
 
Understand components in Angular 2
Understand components in Angular 2Understand components in Angular 2
Understand components in Angular 2codeandyou forums
 
Understand routing in angular 2
Understand routing in angular 2Understand routing in angular 2
Understand routing in angular 2codeandyou forums
 
How to setup ionic 2
How to setup ionic 2How to setup ionic 2
How to setup ionic 2codeandyou forums
 

Recommended

Algorithmia at HackerNews Meetup Seattle
Algorithmia at HackerNews Meetup SeattleAlgorithmia at HackerNews Meetup Seattle
Algorithmia at HackerNews Meetup Seattledoppenhe
 
Introduction to deep learning
Introduction to deep learningIntroduction to deep learning
Introduction to deep learningdoppenhe
 
Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Algorithm Marketplace and the new "Algorithm Economy"
Algorithm Marketplace and the new "Algorithm Economy"Diego Oppenheimer
 
How to validate server certificate
How to validate server certificateHow to validate server certificate
How to validate server certificatecodeandyou forums
 
How to call $scope function from console
How to call $scope function from consoleHow to call $scope function from console
How to call $scope function from consolecodeandyou forums
 
Understand components in Angular 2
Understand components in Angular 2Understand components in Angular 2
Understand components in Angular 2codeandyou forums
 
Understand routing in angular 2
Understand routing in angular 2Understand routing in angular 2
Understand routing in angular 2codeandyou forums
 
How to setup ionic 2
How to setup ionic 2How to setup ionic 2
How to setup ionic 2codeandyou forums
 
MongoDB 3.2.0 Released
MongoDB 3.2.0 ReleasedMongoDB 3.2.0 Released
MongoDB 3.2.0 Releasedcodeandyou forums
 
Welcome to ionic 2
Welcome to ionic 2Welcome to ionic 2
Welcome to ionic 2codeandyou forums
 
What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?
What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?
What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?codeandyou forums
 
How to install ssl certificate from .pem
How to install ssl certificate from .pemHow to install ssl certificate from .pem
How to install ssl certificate from .pemcodeandyou forums
 
Protractor end-to-end testing framework for angular js
Protractor end-to-end testing framework for angular jsProtractor end-to-end testing framework for angular js
Protractor end-to-end testing framework for angular jscodeandyou forums
 
How routing works in angular js
How routing works in angular jsHow routing works in angular js
How routing works in angular jscodeandyou forums
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net applicationcodeandyou forums
 
How to catch query string in angular js
How to catch query string in angular jsHow to catch query string in angular js
How to catch query string in angular jscodeandyou forums
 
Different way to share data between controllers in angular js
Different way to share data between controllers in angular jsDifferent way to share data between controllers in angular js
Different way to share data between controllers in angular jscodeandyou forums
 
Angular.js interview questions
Angular.js interview questionsAngular.js interview questions
Angular.js interview questionscodeandyou forums
 
How to set up a proxy server on windows
How to set up a proxy server on windows How to set up a proxy server on windows
How to set up a proxy server on windows codeandyou forums
 
What is $root scope in angularjs
What is $root scope in angularjsWhat is $root scope in angularjs
What is $root scope in angularjscodeandyou forums
 
How to save log4net into database
How to save log4net into databaseHow to save log4net into database
How to save log4net into databasecodeandyou forums
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationElement34
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfsteffenkarlsson2
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

More Related Content

More from codeandyou forums

What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?
What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?
What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?codeandyou forums
 
How to install ssl certificate from .pem
How to install ssl certificate from .pemHow to install ssl certificate from .pem
How to install ssl certificate from .pemcodeandyou forums
 
Protractor end-to-end testing framework for angular js
Protractor end-to-end testing framework for angular jsProtractor end-to-end testing framework for angular js
Protractor end-to-end testing framework for angular jscodeandyou forums
 
How routing works in angular js
How routing works in angular jsHow routing works in angular js
How routing works in angular jscodeandyou forums
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net applicationcodeandyou forums
 
How to catch query string in angular js
How to catch query string in angular jsHow to catch query string in angular js
How to catch query string in angular jscodeandyou forums
 
Different way to share data between controllers in angular js
Different way to share data between controllers in angular jsDifferent way to share data between controllers in angular js
Different way to share data between controllers in angular jscodeandyou forums
 
Angular.js interview questions
Angular.js interview questionsAngular.js interview questions
Angular.js interview questionscodeandyou forums
 
How to set up a proxy server on windows
How to set up a proxy server on windows How to set up a proxy server on windows
How to set up a proxy server on windows codeandyou forums
 
What is $root scope in angularjs
What is $root scope in angularjsWhat is $root scope in angularjs
What is $root scope in angularjscodeandyou forums
 
How to save log4net into database
How to save log4net into databaseHow to save log4net into database
How to save log4net into databasecodeandyou forums
 

More from codeandyou forums (13)

MongoDB 3.2.0 Released
MongoDB 3.2.0 ReleasedMongoDB 3.2.0 Released
MongoDB 3.2.0 Released
 
Welcome to ionic 2
Welcome to ionic 2Welcome to ionic 2
Welcome to ionic 2
 
What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?
What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?
What is JSON? Why use JSON? JSON Types? JSON Helpful Tools?
 
How to install ssl certificate from .pem
How to install ssl certificate from .pemHow to install ssl certificate from .pem
How to install ssl certificate from .pem
 
Protractor end-to-end testing framework for angular js
Protractor end-to-end testing framework for angular jsProtractor end-to-end testing framework for angular js
Protractor end-to-end testing framework for angular js
 
How routing works in angular js
How routing works in angular jsHow routing works in angular js
How routing works in angular js
 
How to use proxy server in .net application
How to use proxy server in .net applicationHow to use proxy server in .net application
How to use proxy server in .net application
 
How to catch query string in angular js
How to catch query string in angular jsHow to catch query string in angular js
How to catch query string in angular js
 
Different way to share data between controllers in angular js
Different way to share data between controllers in angular jsDifferent way to share data between controllers in angular js
Different way to share data between controllers in angular js
 
Angular.js interview questions
Angular.js interview questionsAngular.js interview questions
Angular.js interview questions
 
How to set up a proxy server on windows
How to set up a proxy server on windows How to set up a proxy server on windows
How to set up a proxy server on windows
 
What is $root scope in angularjs
What is $root scope in angularjsWhat is $root scope in angularjs
What is $root scope in angularjs
 
How to save log4net into database
How to save log4net into databaseHow to save log4net into database
How to save log4net into database
 

Recently uploaded

Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationElement34
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfsteffenkarlsson2
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIAGATSoftware
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfMehmet Akar
 
Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14VMware Tanzu
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 

Recently uploaded (20)

Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIBusinessGPT - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
Abortion Clinic Pretoria ](+27832195400*)[ Abortion Clinic Near Me ● Abortion...
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14Spring into AI presented by Dan Vega 5/14
Spring into AI presented by Dan Vega 5/14
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 

Secure Application to Prevent HTTP Header Leaks in Asp.net

  • 1. Secure Application to Prevent HTTP Header Leaks in Asp.net
  • 2. Security is important factor in an application development. We use different techniques to secure our application like Network Security, Application Security, Database Security etc. The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. They provide different set of instruction to secure a web applications. OWASP suggested to add and remove some useful HTTP headers for secure your applications. https://www.owasp.org/index.php/List_of_useful_HTTP_headers Today we are removing following HTTP headers from our request. So, User can’t identity our web server and technology which we are using. Its default headers added by .Net framework to Response. With this user can identify our Web Server (IIS) Version, Asp.net Version, Asp.Net MVC Version etc.  Server  X-AspNet-Version  X-AspNetMvc-Version  X-Powered-By When you will call any API from REST Client. In Response You will see above HTTP Headers added by .Net framework. You can use any REST Client to test you API. We are using POSTMAN REST Client.
  • 3. We have twowaysto remove HTTP Headers. Use Global.asax orUse Web.Configfile. 1. Remove Server,X-AspNet-VersionandX-AspNetMvc-Version- Use Global.asax’s Application_PreSendRequestHeaders eventtoremove HeadersfromHTTPResponse. protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { HttpApplication app = sender as HttpApplication; if (app != null && app.Context != null) { app.Context.Response.Headers.Remove("Server"); app.Context.Response.Headers.Remove("X-AspNet-Version"); app.Context.Response.Headers.Remove("X-AspNetMvc-Version"); } } 2. Remove X-Powered-By Header and Add some important security headers- Some custom headers are not available into Global.asax file. You need to use Web.Config file to remove and add these headers. <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> <add name="X-Frame-Options" value="DENY"></add> <add name="X-XSS-Protection" value="1; mode=block"></add> <add name="X-Content-Type-Options" value="nosniff "></add> </customHeaders> </httpProtocol> You can learn more about useful HTTP Header here - https://www.owasp.org/index.php/List_of_useful_HTTP_headers After implement you will see that Server,X-AspNet-Version,X-AspNetMvc-Version and X- Powered-By headers removed from Response.
  • 4. Step By Step Example 1. Create MVC + Web API Project 2. Run Project
  • 5. 3. Add API Folder and create TestController 4. Use following code for TestController
  • 6. 5. Call API from REST Client 6. Check Header which showing arrow
  • 7. 7. Use following code into Global.asax to remove Server,X-AspNet-Version,X-AspNetMvc- Version HTTP Headers 8. Run code and check that Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers remove.
  • 8. 9. Now Use Following customer headers in Web.config to remove X-Powered-By HTTP Headers 10. Check X-Powered-By HTTP Header removed and added some useful other HTTP Headers
  • 9. Thanks www.codeandyou.com http://www.codeandyou.com/2015/12/secure- application-to-prevent-http-header-leaks.html Keywords – Secure Application to Prevent HTTP Header Leaks Remove unwanted Header from Response Remove HTTP Headers Secure Asp.net Application