Remove unnecessary headers from http responses.

2018-03-17 14:43:01 +01:00
parent 130c20a30d
commit 8fe526089e
4 changed files with 42 additions and 1 deletions
--- a/VAR.Focus.Web/GlobalModule.cs
+++ b/VAR.Focus.Web/GlobalModule.cs
@@ -0,0 +1,27 @@
+using System;
+using System.Web;
+
+namespace VAR.Focus.Web
+{
+    public class GlobalModule : IHttpModule
+    {
+        public void Dispose() { }
+
+        public void Init(HttpApplication context)
+        {
+            context.PreSendRequestHeaders += Context_PreSendRequestHeaders;
+        }
+
+        private void Context_PreSendRequestHeaders(object sender, EventArgs e)
+        {
+            HttpContext ctx = HttpContext.Current;
+            if (ctx == null) { return; }
+
+            ctx.Response.Headers.Remove("Server");
+            ctx.Response.Headers.Remove("X-Powered-By");
+            ctx.Response.Headers.Add("X-Content-Type-Options", "nosniff");
+            ctx.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
+            ctx.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
+        }
+    }
+}
--- a/VAR.Focus.Web/Pages/FrmBoard.cs
+++ b/VAR.Focus.Web/Pages/FrmBoard.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Web;
+using System.Web.UI;
 using System.Web.UI.WebControls;
 using VAR.Focus.BusinessLogic;
 using VAR.Focus.BusinessLogic.Entities;
--- a/VAR.Focus.Web/VAR.Focus.Web.csproj
+++ b/VAR.Focus.Web/VAR.Focus.Web.csproj
@@ -91,6 +91,7 @@
    <Compile Include="Controls\CTextBox.cs" />
    <Compile Include="Controls\IValidableControl.cs" />
    <Compile Include="Code\GlobalErrorHandler.cs" />
+    <Compile Include="GlobalModule.cs" />
    <Compile Include="Pages\FormUtils.cs" />
    <Compile Include="Pages\FrmBoard.cs">
      <SubType>ASPXCodeBehind</SubType>
--- a/VAR.Focus.Web/web.config
+++ b/VAR.Focus.Web/web.config
@@ -2,17 +2,29 @@
 <configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.6.1" />
+    <httpModules>
+      <add name="GlobalModule" type="VAR.Focus.Web.GlobalModule" />
+    </httpModules>
    <httpHandlers>
      <clear />
      <add path="*" verb="*" type="VAR.Focus.Web.GlobalRouter" />
    </httpHandlers>
-    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
+    <pages clientIDMode="AutoID" enableViewState="false" enableSessionState="false" enableViewStateMac="false" />
+    <httpRuntime enableVersionHeader="false" />
  </system.web>
  <system.webServer>
+    <modules>
+      <add name="GlobalModule" type="VAR.Focus.Web.GlobalModule" />
+    </modules>
    <handlers>
      <clear />
      <add name="GlobalRouter" path="*" verb="*" type="VAR.Focus.Web.GlobalRouter" />
    </handlers>
    <validation validateIntegratedModeConfiguration="false" />
+    <httpProtocol>
+      <customHeaders>
+        <remove name="X-Powered-By" />
+      </customHeaders>
+    </httpProtocol>
  </system.webServer>
 </configuration>