Home > database >  Asp.net web.config syntax issue
Asp.net web.config syntax issue

Time:01-27

I am working on asp.net application for removing security vulnerabilities. The vulnerability which I want to discuss are 'X-XSS Protection' and 'clickjacking'. I went through searching and followed this link. I just used the solution under the head 'Using <customHeaders> in Web.Config'

After this when I run the application I got 500 internal server error: HTTP Error 500.19 - Internal Server Error. In the detailed error information under Config Error label it says that Unrecognized element 'add'.

After this I removed the closing tags </add> and just left with <add name="X-Frame-Options" value="DENY"/> and now the application runs properly.

On following points I need some help:

  1. Why the syntax given in above link does not work?
  2. Can anyone explain the significance of below lines:

<add name="X-Frame-Options" value="DENY"/> <add name="X-XSS-Protection" value="1; mode=block"/> <add name="X-Content-Type-Options" value="nosniff "/>

Little bit I know that these are additional security headers. Thanks

CodePudding user response:

There are several things wrong with the format in the linked article, which I've replicated here...

<httpprotocol> 
 <customheaders> 
  <remove name="X-Powered-By"> 
  <add name="X-Frame-Options" value="DENY"> 
  <add name="X-XSS-Protection" value="1; mode=block"> 
  <add name="X-Content-Type-Options" value="nosniff "> 
 </add></add></add></remove></customheaders> 
</httpprotocol>
  • <httpprotocol> and </httpprotocol> must be <httpProtocol> and </httpProtocol>
  • <customheaders> and </customheaders> must be <customHeaders> and </customHeaders>
  • <add> and <remove> must be direct children of <customHeaders>... they cannot be nested.
  • although I can't say 100%, I believe the space in "nosiff " might be an issue (although it will probably be handled correctly, I would suggest it was removed in case a browser ignores it)

The use of <add></add> or <add/> elements makes no difference, as long as they're all direct children of the <customHeaders> element

<httpProtocol> 
 <customHeaders> 
  <remove name="X-Powered-By" />
  <add name="X-Frame-Options" value="DENY" />
  <add name="X-XSS-Protection" value="1; mode=block" />
  <add name="X-Content-Type-Options" value="nosniff" />
 </customHeaders> 
</httpProtocol>

For the actual options see...

Page link:https//www.codepudding.com/database/277609.html

Prev:Why does MySQL return results that don't appear to match the query?
Next:Filter data from deep json child
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding