rehansaeed.github.io icon indicating copy to clipboard operation
rehansaeed.github.io copied to clipboard

Published 20 hours ago verified publisher icon RehanSaeed

[Comment] NWebSec ASP.NET MVC Security Through HTTP Headers

Open RehanSaeed opened this issue 5 years ago • 7 comments

https://rehansaeed.com/nwebsec-asp-net-mvc-security-through-http-headers/

RehanSaeed avatar May 12 '20 10:05 RehanSaeed

Biagio Paruolo Biagio Paruolo commented on 2015-05-21 07:27:26

.NET 4.5.x support CORS out of the box.

RehanSaeed avatar May 12 '20 10:05 RehanSaeed

Anna Anna commented on 2016-03-20 19:20:15

Your documentation and the template refers to ASP 4.5 runtime - this in itself is a big security issue, since Microsoft has upgraded to 4.6.1 and stopped support including security notices against 4.5.2 and before.

So please update the target versions and the runtime versions.

RehanSaeed avatar May 12 '20 10:05 RehanSaeed

Muhammad Rehan Saeed Muhammad Rehan Saeed commented on 2016-03-21 10:13:22

Your documentation and the template refers to ASP 4.5 runtime - this in itself is a big security issue, since Microsoft has upgraded to 4.6.1 and stopped support including security notices against 4.5.2 and before.

So please update the target versions and the runtime versions.

I guess you are referring to httpruntime targetframework in Web.config. The ASP.NET 4.6 MVC 5 template currently supports .NET 4.5.1 to support VS 2012 users. I guess it's time to upgrade to .NET 4.5.2. I've checked in a change and you'll see the update out shortly. Users can always upgrade themselves in the project properties.

RehanSaeed avatar May 12 '20 10:05 RehanSaeed

Val Val commented on 2016-10-18 16:03:05

Hi Rehan, Great article thanks!

I think you have a typo in X-Frame-Options definition, it should be vice versa:

  • SameOrigin - Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to display the page when it is loaded in an iframe - but only if the iframe is from the same origin as the page.
  • Deny - Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to not display the page when it is loaded in an iframe.

Thanks

RehanSaeed avatar May 12 '20 10:05 RehanSaeed

Muhammad Rehan Saeed Muhammad Rehan Saeed commented on 2016-11-04 09:48:49

Hi Rehan, Great article thanks!

I think you have a typo in X-Frame-Options definition, it should be vice versa:

  • SameOrigin - Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to display the page when it is loaded in an iframe - but only if the iframe is from the same origin as the page.
  • Deny - Specifies that the X-Frame-Options header should be set in the HTTP response, instructing the browser to not display the page when it is loaded in an iframe.

Thanks

Thanks, fixed!

RehanSaeed avatar May 12 '20 10:05 RehanSaeed

Rich Rich commented on 2018-09-06 16:44:10

Can you explain what the advantages of this are over just adding the headers to the customheaders section of the web.config file.

RehanSaeed avatar May 12 '20 10:05 RehanSaeed

Muhammad Rehan Saeed Muhammad Rehan Saeed commented on 2018-09-21 09:47:04

Can you explain what the advantages of this are over just adding the headers to the customheaders section of the web.config file.

It's dynamic, so you can provide different headers for each page. Also, if you use ASP.NET Core, then NWebSec is the only way to go.

RehanSaeed avatar May 12 '20 10:05 RehanSaeed