Recently I was flipping through some security issues faced by websites. Fortunately come across a new term "Click jacking"
I understood that this attack happens only if my website is loadable in an IFrame.
Further investigation helped to know that setting "x-frame-options" to "DENY" prevent the website been loaded in IFrame
But I Don't know how to implement this as I am very new to this domain?
In your Global.asax you can add the following
protected void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.AddHeader("x-frame-options", "SAMEORIGIN");
}
Just put following code under <system.webServer> section in web.config file
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY"/>
</customHeaders>
</httpProtocol>
NOTE : The X-Frame-Options header may contain one of three
tokens.You either add any of these.Each one has its own significance.
DENY
SAMEORIGIN
ALLOW-FROM origin
For details visit MSDN blog : Combating ClickJacking With X-Frame-Options
Have a look at this:
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options#Configuring_Apache
It's basically a response header sent out on all responses. You can code your site to do this for each individual page, but a better approach, if you are able to edit the configuration for JUST YOUR SITE, is to handle it there...
Both APACHE and IIS should have options for this - the IIS one seems to be here:
http://support.microsoft.com/kb/2694329
For people looking to protect .net 5.0 MVC / Razor pages, add the following to your Configure method in Startup.cs:
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Frame-Options", "DENY");
await next();
});
Links
OWasp DotNet Security Cheat Sheet
Hanselman blog post on security headers
Related
I follow something similar to these steps to add CORs to IIS 10 and after about 10 minutes, the response header is removed and CORs stops working.
Open Internet Information Service (IIS) Manager.
Right click the site you want to enable CORS for and go to Properties.
Change to the HTTP Headers tab.
In the Custom HTTP headers section, click Add.
Enter Access-Control-Allow-Origin as the header name.
Enter * as the header value.
Click Ok twice.
Then I go back to Visual Studio and publish my project. Why are my CORs response headers being removed and how do I make them stay?
Thanks to a strong hint from S. Walker, I went onto the server, modified the response header as desired and then looked at the web.config file.
It had added:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>
So I copied that into my project web.config file and published. Now it doesn't disappear and CORs continues to work. Seems obvious now.
I have a plugin on my wordpress site and this plugin is using ajax to send the information to database
the problem is that i have subdomains on some pages on my website " xxx.xyn.com "
and the ajax is working fine on the main domain xyn.com but it's not working on subdomains so how can i make it work on subdomains too ?
here is the code :
http_req = new XMLHttpRequest();
http_req.onreadystatechange = function()
{eemail_submitresult(es_widget_form)}; // Passing the form to the submit request
http_req.open('POST', url, true);
http_req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_req.send(parameters);
so how can i make it works ?
and if Access-Control-Allow-Origin is the solution can you tell me how to allow it ?
is it codes to add in javascript, php, htaccess or apache ?
I am not sure what you mean, you are visiting a page of url xxx.xyn.com, and it fetches XHR data from xyn.com right?
In that case you will need to add the Access-Control-Allow-Origin header in the response from xyn.com. For more information, see the link above.
It should not send the request to main site, cause it works in curent site context. Did you check what exectely in "url" variable? Maybe there is a main site url?
I solved my problem with this method and adding the following code to .htaccess.
I wanted all subdomains to have access.
<ifmodule mod_headers.c="">
SetEnvIf Origin "^(.*\.domain\.com)$" ORIGIN_SUB_DOMAIN=$1
Header set Access-Control-Allow-Origin "%{ORIGIN_SUB_DOMAIN}e" env=ORIGIN_SUB_DOMAIN
Header set Access-Control-Allow-Methods: "*"
Header set Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept, Authorization"
</ifmodule>
I want to add re-write rules to my Azure app service, but if I even try create a web.config with a simple rewrite as shown below, the site returns an HTTP 500.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Test" stopProcessing="true">
<match url="test" />
<action type="Rewrite" url="/index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
What I did is create the web.config from scratch and FTP it into the wwwroot folder for the app service which is where I Ftp'd the rest of my web site files.
I have seen an old conversation about web.config files in Azure, but I'm not even sure if this is in regards to Azure app service - and things change so quickly in Azure that I thought I should ask separately anyways.
I have also seen this link about using web.config transforms. Maybe this is required?
This other link seems to indicate that updating web.config is possible, but their example results in an HTTP 500 for me as well.
I've looked through configuration options in the Azure portal for my app service and nothing seems to jump out at me.
>>”This other link seems to indicate that updating web.config is possible”
Yes, we could update the configuration of Web App by updating Web.config file directly. You could upload a new version of configuration file to wwwroot folder by FTP/WebDeply or any other ways provided by Kudu. Another easy way to edit files in wwwroot folder is using the App Service Editor, you could use it to edit the configuration file.
I can’t reproduce your problem on my side. Following are what I done.
Create a Web App using a Web App Plan with “Shared” SKU.
Create 2 file, a index.html file and a Web.config file. The content in Web.config is same as yours.
Upload these files to wwwroot folder of my web app using FTP.
Open a web browser and input a URL like this “http: // xxx.azurewebsites.net/test”. The web server will return the content of index.html. It proves that the rewrite is working fine.
>>”but their example results in an HTTP 500 for me as well.”
Firstly, please mark sure whether the rewrite is working fine or not. I suggest you view the index.html page directly and check whether the error code(500) comes from index.html page.
Sometimes we provide the wrong syntax for rewrite rule, it will return 500 (URL Rewrite Module Error). Have you enabled Detailed Error Logging and Web Server Logging for your web app. If yes, you could view the detail error message to get more useful information. For how to enable and view diagnostics logging, link below is for your reference.
Enable diagnostics logging for web apps in Azure App Service
How to redirect asp page (http://www.example.com/page.asp?id=11) to another domain (http://www.anothersite.com) using web.config file. I used below code but not working.
<configuration><location path="http://www.example.com/page.asp?id=11"><system.webServer><httpRedirect enabled="true" destination="http://www.anothersite.com" httpResponseStatus="Permanent" /></system.webServer></location></configuration>
Thanks.
You're probably better doing this using URLRewrite or adding some suitable logic to Custom Error page handling.
Have a look at the answers to this question Configuring custom ASP 404 page with redirect for IIS7 website
I have a php Facebook application which I have uploaded in a Microsoft server. When I run the application i get this error. Does anybody know the cause of this ?
405 - HTTP verb used to access this page is not allowed. The page you
are looking for cannot be displayed because an invalid method (HTTP
verb) was used to attempt access.
Even if you are using IIS or apache, in my guess you are using static html page as a landing page, and by default the web server doesn't allow POST or GET verb on .html page, facebook calls your page via POST/GET verb
the solution would be to rename the page into .php or .aspx
and you should be good to go :)
In the Facebook app control panel make sure you have a forward slash on the end of any specified URL if you are only specifying a folder name
i.e.
Page Tab URL: http://mypagetabserver.com/custom_tab/
you can add these lines to the web.config:
<system.webServer>
<modules>
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
</handlers>
</system.webServer>
It means litraly that, your trying to use the wrong http verb when accessing some http content. A lot of content on webservices you need to use a POST to consume. I suspect your trying to access the facebook API using the wrong http verb.
I fixed mine by adding these lines on my IIS webconfig.
<httpErrors>
<remove statusCode="405" subStatusCode="-1" />
<error statusCode="405" prefixLanguageFilePath="" path="/my-page.htm" responseMode="ExecuteURL" />
</httpErrors>
I've been pulling my hair out over this one for a couple of hours also. fakeartist appears correct though - I changed the file extension from .htm to .php and I can now see my page in Facebook! It also works if you change the extension to .aspx - perhaps it just needs to be a server side extension (I've not tried with .jsp).
Try renaming the default file. In my case, a recent move to IIS7.5 gave the 405 error. I changed index.aspx to default.aspx and it worked immediately for me.
In my case, IIS was fine but.. uh.. all the files in the folder except web.config had been deleted (a manual deployment half-done on a test site).
I got this error when I was using jquery and lib was not present in the given path, once jquery lib is added back error was gone.
[File name - calculate.html]
I had this err on the host too (my project was .net core2.1 webapi )
please add this code in web config in host :
<modules>
<remove name="WebDAVModule" />
</modules>