1

I have a WebAPI project called Mensajes.Cliente which contains an Angular application:

Project structure

For security reasons, I need to add 2 headers to every server response. Solved that adding the following to Global.asax:

protected void Application_BeginRequest()
{
    Response.AddHeader("X-Frame-Options", "DENY");
    Response.AddHeader("X-XSS-Protection", "1");
}

When I call any of the controllers methods, the response does contain both headers, so that works fine.

But when I try to get the index.html as foo.com/Mensajes.Cliente or foo.com/Mensajes.Cliente/index.html, no header is set (it happens with all the static content as .js or .css files).

Request response

How can I add these headers to the response of every server request?

Must these headers be set in web.config or Global.asax configuration, or its a server configuration?

Improve this question

1 Answer 1

Reset to default
3
+50
  1. The easiest way to set headers for all the content of site is in web.config. The customHeaders section under thehttpProtocol in system.webServer will make sure that this header is included for all files and responses.

Example:

<system.webServer>
   <!--.......-->
    <httpProtocol>
      <customHeaders>
        <add name="X-Frame-Options" value="DENY" />
        <add name="X-XSS-Protection" value="1" />
      </customHeaders>
    </httpProtocol>    
    <!--.......-->
</system.webServer>
  1. Another option is to create custom HttpModule. This way you have more control on the files and content to which headers needs to be appended.

Example:

public class CustomOrgHeaderModule : IHttpModule
{
    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += OnPreSendRequestHeaders;
    }

    public void Dispose() { }

    void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        //To add header only for Html files
       //You can add any condition as you need
        if (HttpContext.Current.Request.Url.ToString().Contains(".html"))//css, js as you need
        {
            HttpContext.Current.Response.Headers.Add("X-Frame-Options", "DENY");
            HttpContext.Current.Response.Headers.Add("X-XSS-Protection", "1");
        }
    }
}

And register CustomOrgHeaderModule in web.config -

   <system.webServer>
       <!--.......-->
        <modules>
         <add name="CustomHeaderModule" type="SOFTEST.NET.API.Modules.CustomOrgHeaderModule" /><!--.SOFTEST.NET.API.Modules.CustomOrgHeaderModule is then FullNmae of the class MEANS Namesapce.CassName -->
       </modules>  
        <!--.......-->
    </system.webServer>

And you don need to set Response.AddHeader in Global.asax any more.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.