Add custom response header to web.config

时间:2016-04-04 18:32:19

标签: asp.net web-config iis-6 asp.net-2.0

I have a website that is susceptible to a clickjacking vulnerability. Doing some research, it looks like one of the simple approaches is to simply add the X-Frame-Options: SAMEORIGIN to the response header. This is a very old web application (ca. last update was 2004), and is running IIS 6 with ASP.NET 2.0.

In newer versions, I could simply add the following section to the web.config

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="SAMEORIGIN" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

And that would be the end of it. However, I can't seem to be able to verify that this is possible using IIS 6.

Is this possible with IIS 6 and ASP.NET 2.0 to be done in only the web.config file? If so, how? If not, what code changes would I have to make in order to achieve the same result? Would simply adding

Context.Response.AddHeader("X-Frame-Options", "SAMEORIGIN");

to the Global.asax#Application_EndRequest be sufficient?

1 个答案:

答案 0 :(得分:0)

I don't believe that you'll be able to accomplish this solely by updating the web.config since you are targeting II6 (as support for the <customHeaders> section was added in IIS7+).

What you would likely need to do would be to create a custom HttpModule similar to the approach mentioned in this blog post that would handle actually adding the Header which might look something like this :

public class SameOriginHeaderModule : IHttpModule
{
     private HttpApplication _application;

     public void Init(HttpApplication context)
     {
         _application = context;
         context.PreSendRequestHeaders += OnPreSendRequestHeaders;
     }

     void context_EndRequest(object sender, EventArgs e)
     {
         // If your request exists, add the header
         if (_application.Context != null)
         {
              var response = _application.Response;
              response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
         }
     }

     public void Dispose()
     {

     }
 }

You would then need to register this module within your web.config file as seen below :

<configuration>
    <system.web>
        <httpModules>
            <add name="SameOriginHeaderModule" type="SameOriginHeaderModule" />
        </httpModules>
    </system.web>
</configuration>
相关问题
最新问题