Secure Application to Prevent HTTP Header Leaks in Asp.net


Security is important factor in an application development. We use different techniques to secure our application like Network Security, Application Security, Database Security etc.

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. They provide different set of instruction to secure a web applications.

OWASP suggested to add and remove some useful HTTP headers for secure your applications.

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Today we are removing following HTTP headers from our request. So, User can’t identity our web server and technology which we are using. Its default headers added by .Net framework to Response. With this user can identify our Web Server (IIS) Version, Asp.net Version, Asp.Net MVC Version
etc.

Server
X-AspNet-Version
X-AspNetMvc-Version
X-Powered-By

When you will call any API from REST Client. In Response You will see above HTTP Headers added by .Net framework.

You can use any REST Client to test you API. We are using POSTMAN REST Client.



We have two ways to remove HTTP Headers. Use Global.asax or Use Web.Config file.

1. Remove Server, X-AspNet-Version and X-AspNetMvc-Version - Use Global.asax’s Application_PreSendRequestHeaders event to remove Headers from HTTP Response.

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
        {
            HttpApplication app = sender as HttpApplication;
            if (app != null && app.Context != null)
            {
                app.Context.Response.Headers.Remove("Server");
                app.Context.Response.Headers.Remove("X-AspNet-Version");
                app.Context.Response.Headers.Remove("X-AspNetMvc-Version");
            }
        }

2. Remove X-Powered-By Header and Add some important security headers- Some custom headers are not available into Global.asax file. You need to use Web.Config file to remove and add these headers.

    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <add name="X-Frame-Options" value="DENY"></add>
        <add name="X-XSS-Protection" value="1; mode=block"></add>
        <add name="X-Content-Type-Options" value="nosniff "></add>
      </customHeaders>
    </httpProtocol>

You can learn more about useful HTTP Header here -

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

After implement you will see that Server,X-AspNet-Version,X-AspNetMvc-Version and X-Powered-By headers removed from Response.







Step By Step Example to remove unwanted headers from response


1. Create MVC + Web API Project


2. Run Project


3. Add API Folder and create TestController


4. Use following code for TestController




5. Call API from REST Client




6. Check Header which showing arrow

  


7. Use following code into Global.asax to remove Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers



8. Run code and check that Server,X-AspNet-Version,X-AspNetMvc-Version HTTP Headers remove.



9. Now Use Following customer headers in Web.config to remove X-Powered-By HTTP Headers



10. Check X-Powered-By HTTP Header removed and added some useful other HTTP Headers



Keywords

HTTP Header Leaks

Secure Application to Prevent HTTP Header Leaks

Remove unwanted Header from Response

Remove HTTP Headers

Secure Asp.net Application 



Previous
Next Post »

2 comments

Click here for comments
2 May 2019 at 04:40 ×

Nevada and Wyoming law, for example, takes into consideration the utilization of chosen one chiefs and officers and directors of a LLC, and candidate investors and individuals. getmoreprivacy.com

Balas
avatar
admin
9 May 2019 at 03:02 ×

This is an awesome post. Really very informative and creative contents. This concept is a good way to enhance knowledge. I like it and help me to development very well. Thank you for this brief explanation and very nice information. Well, got good knowledge.
http://www.levelsncurves.com/wordpress-development-company-chennai-india//

Balas
avatar
admin
Thanks for your comment