9 HTTP headers
This chapter covers
- Which ASP.NET Core HTTP response headers might leak information
- Removing revealing HTTP headers from the server response
- Which HTTP headers activate browser security features
- Adding custom HTTP headers to an HTTP response in an ASP.NET Core application
MITRE Corporation, the well-known research facility doing major work for the US government, is the initiator and sponsor of the CVE project (https://cve.org). Its goal is to identify and list common vulnerabilities, thus the name: Common Vulnerabilities and Exposures. The web site https://www.cvedetails.com/, independent of MITRE and the CVE project, but reusing its classification scheme, provides a searchable list of all reported vulnerabilities in various software products. For instance, https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3427/Microsoft-Internet-Information-Services.html lists all security vulnerabilities from Microsoft’s IIS (Internet Information Services), and https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-42998/Microsoft-Asp.net-Core.html shows all security-related issues reported in ASP.NET Core (depicted in Figure 9.1).
If you drill down in one specific CVE, you will find more details, including information about the version or patch in which the issue has been fixed.