Is Kentico re-adding stripped HttpHeaders?

Ben Knight asked on July 11, 2017 09:24

I currently have a Kentico 10 solution with a ASPX project where I have custom extensions/functionality.

One of these custom modules I have created is to strip out certain HttpHeaders for security reasons (Server, X-AspNet-Version etc).

When I run the solution in debug mode, my breakpoints are being hit and I can see that the headers are being stripped out, however when I inspect the site using developer tools in Chrome, the headers are still present with any page that Kentico has sight of.

I have tested this by adding a blank "Hello World" txt file to the web solution (Kentico has no idea of this page) and navigating to it, upon inspection the headers are correctly stripped.

My question is, does Kentico somehow reapply the headers that I have stripped? If so, is there a work around to prevent this from happening?

kentico 10 httpheaders security

Correct Answer

Ben Knight answered on July 11, 2017 10:02

Resolved this - Issue was in the module code itself using the incorrect HttpApplication state and stripping the headers out at the wrong time

2 votesVote for this answer Unmark Correct answer

Recent Answers

Jan Šedo answered on July 11, 2017 10:02

It shouldn't. Where exactly in the code are you stripping them? Is it possible that you're doing this too late? I've seen Kentico project stripping these successfully by adding following to the Global.asax.cs file:

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
   HttpContext.Current.Response.Headers.Remove("X-Powered-By");
   HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
   HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
   HttpContext.Current.Response.Headers.Remove("Server");
}

0 votesVote for this answer Mark as a Correct answer