Secure Application to Prevent HTTP Header Leaks in Asp.net


Security is important factor in an application development. We use different techniques to secure our application like Network Security, Application Security, Database Security etc.

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. They provide different set of instruction to secure a web applications.

OWASP suggested to add and remove some useful HTTP headers for secure your applications.

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Today we are removing following HTTP headers from our request. So, User can’t identity our web server and technology which we are using. Its default headers added by .Net framework to Response. With this user can identify our Web Server (IIS) Version, Asp.net Version, Asp.Net MVC Version
etc.

Server
X-AspNet-Version
X-AspNetMvc-Version
X-Powered-By

When you will call any API from REST Client. In Response You will see above HTTP Headers added by .Net framework.

You can use any REST Client to test you API. We are using POSTMAN REST Client.



We have two ways to remove HTTP Headers. Use Global.asax or Use Web.Config file.

1. Remove Server, X-AspNet-Version and X-AspNetMvc-Version - Use Global.asax’s Application_PreSendRequestHeaders event to remove Headers from HTTP Response.

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
        {
            HttpApplication app = sender as HttpApplication;
            if (app != null && app.Context != null)
            {
                app.Context.Response.Headers.Remove("Server");
                app.Context.Response.Headers.Remove("X-AspNet-Version");
                app.Context.Response.Headers.Remove("X-AspNetMvc-Version");
            }
        }

2. Remove X-Powered-By Header and Add some important security headers- Some custom headers are not available into Global.asax file. You need to use Web.Config file to remove and add these headers.

    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <add name="X-Frame-Options" value="DENY"></add>
        <add name="X-XSS-Protection" value="1; mode=block"></add>
        <add name="X-Content-Type-Options" value="nosniff "></add>
      </customHeaders>
    </httpProtocol>

You can learn more about useful HTTP Header here -

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

After implement you will see that Server,X-AspNet-Version,X-AspNetMvc-Version and X-Powered-By headers removed from Response.







Step By Step Example to remove unwanted headers from response


1. Create MVC + Web API Project


2. Run Project


3. Add API Folder and create TestController


4. Use following code for TestController




5. Call API from REST Client




6. Check Header which showing arrow

  


7. Use following code into Global.asax to remove Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers



8. Run code and check that Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers remove.



9. Now Use Following customer headers in Web.config to remove X-Powered-By HTTP Headers



10. Check X-Powered-By HTTP Header removed and added some useful other HTTP Headers



Keywords

HTTP Header Leaks

Secure Application to Prevent HTTP Header Leaks

Remove unwanted Header from Response

Remove HTTP Headers

Secure Asp.net Application 



Comments

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Nice post! This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post. hide my wp

    ReplyDelete
  3. Wonderful article. Fascinating to read. I love to read such an excellent article. Thanks! It has made my task more and extra easy. Keep rocking. veja como baixar Lulubox para Android

    ReplyDelete
  4. This is why it is better that you should linked review before developing. It is possible to post superior send that way. Website Design

    ReplyDelete

Post a Comment