I am working on asp.net application for removing security vulnerabilities. The vulnerability which I want to discuss are 'X-XSS Protection' and 'clickjacking'.
I went through searching and followed this link. I just used the solution under the head 'Using <customHeaders> in Web.Config'
After this when I run the application I got 500 internal server error: HTTP Error 500.19 - Internal Server Error. In the detailed error information under Config Error label it says that Unrecognized element 'add'.
After this I removed the closing tags </add> and just left with <add name="X-Frame-Options" value="DENY"/> and now the application runs properly.
On following points I need some help:
- Why the syntax given in above link does not work?
- Can anyone explain the significance of below lines:
<add name="X-Frame-Options" value="DENY"/> <add name="X-XSS-Protection" value="1; mode=block"/> <add name="X-Content-Type-Options" value="nosniff "/>
Little bit I know that these are additional security headers. Thanks
There are several things wrong with the format in the linked article, which I've replicated here...
<httpprotocol>and</httpprotocol>must be<httpProtocol>and</httpProtocol><customheaders>and</customheaders>must be<customHeaders>and</customHeaders><add>and<remove>must be direct children of<customHeaders>... they cannot be nested."nosiff "might be an issue (although it will probably be handled correctly, I would suggest it was removed in case a browser ignores it)The use of
<add></add>or<add/>elements makes no difference, as long as they're all direct children of the<customHeaders>elementFor the actual options see...