Secure Application to Prevent HTTP Header Leaks in Asp.net

1. Secure Application to Prevent
HTTP Header Leaks in Asp.net

2. Security is important factor in an application development. We use different techniques to secure our
application like Network Security, Application Security, Database Security etc.
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable
organization focused on improving the security of software. They provide different set of instruction
to secure a web applications.
OWASP suggested to add and remove some useful HTTP headers for secure your applications.
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Today we are removing following HTTP headers from our request. So, User can’t identity our web
server and technology which we are using. Its default headers added by .Net framework to Response.
With this user can identify our Web Server (IIS) Version, Asp.net Version, Asp.Net MVC Version
etc.
 Server
 X-AspNet-Version
 X-AspNetMvc-Version
 X-Powered-By
When you will call any API from REST Client. In Response You will see above HTTP Headers added by
.Net framework.
You can use any REST Client to test you API. We are using POSTMAN REST Client.

3. We have twowaysto remove HTTP Headers. Use Global.asax orUse Web.Configfile.
1. Remove Server,X-AspNet-VersionandX-AspNetMvc-Version- Use Global.asax’s
Application_PreSendRequestHeaders eventtoremove HeadersfromHTTPResponse.
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpApplication app = sender as HttpApplication;
if (app != null && app.Context != null)
{
app.Context.Response.Headers.Remove("Server");
app.Context.Response.Headers.Remove("X-AspNet-Version");
app.Context.Response.Headers.Remove("X-AspNetMvc-Version");
}
}
2. Remove X-Powered-By Header and Add some important security headers- Some
custom headers are not available into Global.asax file. You need to use Web.Config file to
remove and add these headers.
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-Frame-Options" value="DENY"></add>
<add name="X-XSS-Protection" value="1; mode=block"></add>
<add name="X-Content-Type-Options" value="nosniff "></add>
</customHeaders>
</httpProtocol>
You can learn more about useful HTTP Header here -
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
After implement you will see that Server,X-AspNet-Version,X-AspNetMvc-Version and X-
Powered-By headers removed from Response.

4. Step By Step Example
1. Create MVC + Web API Project
2. Run Project

5. 3. Add API Folder and create TestController
4. Use following code for TestController

6. 5. Call API from REST Client
6. Check Header which showing arrow

7. 7. Use following code into Global.asax to remove Server,X-AspNet-Version,X-AspNetMvc-
Version HTTP Headers
8. Run code and check that Server,X-AspNet-Version,X-AspNetMvc-Version HTTP
Headers remove.

8. 9. Now Use Following customer headers in Web.config to remove X-Powered-By HTTP
Headers
10. Check X-Powered-By HTTP Header removed and added some useful other HTTP
Headers

9. Thanks
www.codeandyou.com
http://www.codeandyou.com/2015/12/secure-
application-to-prevent-http-header-leaks.html
Keywords –
Secure Application to Prevent HTTP Header Leaks
Remove unwanted Header from Response
Remove HTTP Headers
Secure Asp.net Application