9 HTTP headers

 

This chapter covers

  • Which ASP.NET Core HTTP response headers might leak information
  • Removing revealing HTTP headers from the server response
  • Which HTTP headers activate browser security features
  • Adding custom HTTP headers to an HTTP response in an ASP.NET Core application

MITRE Corporation, the well-known research facility doing major work for the US government, is the initiator and sponsor of the CVE project (https://cve.org). Its goal is to identify and list common vulnerabilities, thus the name: Common Vulnerabilities and Exposures. The web site https://www.cvedetails.com/, independent of MITRE and the CVE project, but reusing its classification scheme, provides a searchable list of all reported vulnerabilities in various software products. For instance, https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3427/Microsoft-Internet-Information-Services.html lists all security vulnerabilities from Microsoft’s IIS (Internet Information Services), and https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-42998/Microsoft-Asp.net-Core.html shows all security-related issues reported in ASP.NET Core (depicted in Figure 9.1).

Figure 9.1 CVEs found in ASP.NET Core in the past

If you drill down in one specific CVE, you will find more details, including information about the version or patch in which the issue has been fixed.

9.1 Hiding Server Information

 

9.2 Browser Security Headers

 
 
 

9.2.1 Referrer Policy

 
 

9.2.2 Feature and Permissions Policy

 

9.2.3 Preventing Content Sniffing

 
 
 

9.2.4 Cross-Origin Policies

 

9.2.5 Further Headers

 
 
 

9.3 Summary

 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest