Search code examples
asp.netweb-configweb-application-security

Asp.net web.config syntax issue

I am working on asp.net application for removing security vulnerabilities. The vulnerability which I want to discuss are 'X-XSS Protection' and 'clickjacking'. I went through searching and followed this link. I just used the solution under the head 'Using <customHeaders> in Web.Config'

After this when I run the application I got 500 internal server error: HTTP Error 500.19 - Internal Server Error. In the detailed error information under Config Error label it says that Unrecognized element 'add'.

After this I removed the closing tags </add> and just left with <add name="X-Frame-Options" value="DENY"/> and now the application runs properly.

On following points I need some help:

  1. Why the syntax given in above link does not work?
  2. Can anyone explain the significance of below lines:

<add name="X-Frame-Options" value="DENY"/> <add name="X-XSS-Protection" value="1; mode=block"/> <add name="X-Content-Type-Options" value="nosniff "/>

Little bit I know that these are additional security headers. Thanks

Solution

  • There are several things wrong with the format in the linked article, which I've replicated here...

    <httpprotocol> 
 <customheaders> 
  <remove name="X-Powered-By"> 
  <add name="X-Frame-Options" value="DENY"> 
  <add name="X-XSS-Protection" value="1; mode=block"> 
  <add name="X-Content-Type-Options" value="nosniff "> 
 </add></add></add></remove></customheaders> 
</httpprotocol>
    • <httpprotocol> and </httpprotocol> must be <httpProtocol> and </httpProtocol>
    • <customheaders> and </customheaders> must be <customHeaders> and </customHeaders>
    • <add> and <remove> must be direct children of <customHeaders>... they cannot be nested.
    • although I can't say 100%, I believe the space in "nosiff " might be an issue (although it will probably be handled correctly, I would suggest it was removed in case a browser ignores it)

    The use of <add></add> or <add/> elements makes no difference, as long as they're all direct children of the <customHeaders> element

    <httpProtocol> 
 <customHeaders> 
  <remove name="X-Powered-By" />
  <add name="X-Frame-Options" value="DENY" />
  <add name="X-XSS-Protection" value="1; mode=block" />
  <add name="X-Content-Type-Options" value="nosniff" />
 </customHeaders> 
</httpProtocol>

    For the actual options see...