Open RehanSaeed opened 4 years ago
Biagio Paruolo commented on 2015-05-21 07:27:26
.NET 4.5.x support CORS out of the box.
Anna commented on 2016-03-20 19:20:15
Your documentation and the template refers to ASP 4.5 runtime - this in itself is a big security issue, since Microsoft has upgraded to 4.6.1 and stopped support including security notices against 4.5.2 and before.
So please update the target versions and the runtime versions.
Muhammad Rehan Saeed commented on 2016-03-21 10:13:22
Your documentation and the template refers to ASP 4.5 runtime - this in itself is a big security issue, since Microsoft has upgraded to 4.6.1 and stopped support including security notices against 4.5.2 and before.
So please update the target versions and the runtime versions.
I guess you are referring to httpruntime
targetframework
in Web.config
. The ASP.NET 4.6 MVC 5 template currently supports .NET 4.5.1 to support VS 2012 users. I guess it's time to upgrade to .NET 4.5.2. I've checked in a change and you'll see the update out shortly. Users can always upgrade themselves in the project properties.
Val commented on 2016-10-18 16:03:05
Hi Rehan, Great article thanks!
I think you have a typo in X-Frame-Options
definition, it should be vice versa:
SameOrigin
- Specifies that the X-Frame-Options
header should be set in the HTTP response, instructing the browser to display the page when it is loaded in an iframe - but only if the iframe is from the same origin as the page.Deny
- Specifies that the X-Frame-Options
header should be set in the HTTP response, instructing the browser to not display the page when it is loaded in an iframe.Thanks
Muhammad Rehan Saeed commented on 2016-11-04 09:48:49
Hi Rehan, Great article thanks!
I think you have a typo in
X-Frame-Options
definition, it should be vice versa:
SameOrigin
- Specifies that theX-Frame-Options
header should be set in the HTTP response, instructing the browser to display the page when it is loaded in an iframe - but only if the iframe is from the same origin as the page.Deny
- Specifies that theX-Frame-Options
header should be set in the HTTP response, instructing the browser to not display the page when it is loaded in an iframe.Thanks
Thanks, fixed!
Rich commented on 2018-09-06 16:44:10
Can you explain what the advantages of this are over just adding the headers to the customheaders
section of the web.config file.
Muhammad Rehan Saeed commented on 2018-09-21 09:47:04
Can you explain what the advantages of this are over just adding the headers to the
customheaders
section of the web.config file.
It's dynamic, so you can provide different headers for each page. Also, if you use ASP.NET Core, then NWebSec is the only way to go.
https://rehansaeed.com/nwebsec-asp-net-mvc-security-through-http-headers/