9 HTTP headers

 

This chapter covers

  • Understanding leaky ASP.NET Core HTTP response headers
  • Removing HTTP headers that are too revealing
  • Discovering HTTP headers offering browser security features
  • Adding custom HTTP headers to an HTTP response

MITRE Corporation, the well-known research facility doing major work for the US government, is the initiator and sponsor of the CVE Program (https://cve.org). Its goal is to identify and list common vulnerabilities, thus the name CVE: Common Vulnerabilities and Exposures. The website—www.cvedetails.com/, independent of MITRE and the CVE project, but reusing its classification scheme—provides a searchable list of all reported vulnerabilities in various software products. For instance, http://mng.bz/gwDe lists all security vulnerabilities from Microsoft’s IIS (Internet Information Services), and http://mng.bz/e7j9 shows all security-related issues reported in ASP.NET Core (figure 9.1).

Figure 9.1 CVEs found in ASP.NET Core in the past
CH09_F01_Wenz

If you drill down in one specific CVE, you will find more details, including information about the version or patch in which the issue has been fixed.

Now take a closer look at the HTTP response headers an ASP.NET Core application sends to the client. Figure 9.2 shows a typical output of a site running on IIS.

Figure 9.2 HTTP headers returned by ASP.NET Core by default
CH09_F02_Wenz

9.1 Hiding server information

9.2 Browser security headers

9.2.1 Referrer Policy

9.2.2 Feature and permissions policy

9.2.3 Preventing content sniffing

9.2.4 Cross-origin policies

9.2.5 Further headers

Summary

sitemap