[Comment] NWebSec ASP.NET MVC Security Through HTTP Headers

RehanSaeed / rehansaeed.github.io

Muhammad Rehan Saeed's Blog

https://rehansaeed.com

30 stars 6 forks source link

[Comment] NWebSec ASP.NET MVC Security Through HTTP Headers #98

Open RehanSaeed opened 4 years ago

RehanSaeed commented 4 years ago

https://rehansaeed.com/nwebsec-asp-net-mvc-security-through-http-headers/

RehanSaeed commented 4 years ago

Biagio Paruolo commented on 2015-05-21 07:27:26

.NET 4.5.x support CORS out of the box.

RehanSaeed commented 4 years ago

Anna commented on 2016-03-20 19:20:15

Your documentation and the template refers to ASP 4.5 runtime - this in itself is a big security issue, since Microsoft has upgraded to 4.6.1 and stopped support including security notices against 4.5.2 and before.

So please update the target versions and the runtime versions.

RehanSaeed commented 4 years ago

Muhammad Rehan Saeed commented on 2016-03-21 10:13:22

Your documentation and the template refers to ASP 4.5 runtime - this in itself is a big security issue, since Microsoft has upgraded to 4.6.1 and stopped support including security notices against 4.5.2 and before.

So please update the target versions and the runtime versions.

I guess you are referring to httpruntime targetframework in Web.config. The ASP.NET 4.6 MVC 5 template currently supports .NET 4.5.1 to support VS 2012 users. I guess it's time to upgrade to .NET 4.5.2. I've checked in a change and you'll see the update out shortly. Users can always upgrade themselves in the project properties.

RehanSaeed commented 4 years ago

Val commented on 2016-10-18 16:03:05

Hi Rehan, Great article thanks!

I think you have a typo in X-Frame-Options definition, it should be vice versa:

SameOrigin - Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to display the page when it is loaded in an iframe - but only if the iframe is from the same origin as the page.
Deny - Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to not display the page when it is loaded in an iframe.

Thanks

RehanSaeed commented 4 years ago

Muhammad Rehan Saeed commented on 2016-11-04 09:48:49

Hi Rehan, Great article thanks!

I think you have a typo in X-Frame-Options definition, it should be vice versa:

SameOrigin - Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to display the page when it is loaded in an iframe - but only if the iframe is from the same origin as the page.

Deny - Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to not display the page when it is loaded in an iframe.

Thanks

Thanks, fixed!

RehanSaeed commented 4 years ago

Rich commented on 2018-09-06 16:44:10

Can you explain what the advantages of this are over just adding the headers to the customheaders section of the web.config file.

RehanSaeed commented 4 years ago

Muhammad Rehan Saeed commented on 2018-09-21 09:47:04

Can you explain what the advantages of this are over just adding the headers to the customheaders section of the web.config file.

It's dynamic, so you can provide different headers for each page. Also, if you use ASP.NET Core, then NWebSec is the only way to go.