4 January, 2022

ASP.NET 4.x Notes

Request Header

private void ConfigureAuth(IAppBuilder builder)
{
  builder.Use((context, next) =>
  {
    if (context?.Request?.Headers["X-Teach"] == null)
    {
      context.Request.Headers.Add("X-Teach", new[] { "something" });
    }
    return next.Invoke();
  });
}

Security

Remove information from requests in Web.config:

<system.web>
  <httpRuntime maxRequestLength="12288" enableVersionHeader="false" targetFramework="4.7.2" />
</system.web>
<system.webServer>
  <security>
    <requestFiltering removeServerHeader="true" />
  </security>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

In Global.asax remove X-AspNetMvc-Version

MvcHandler.DisableMvcResponseHeader = true;

Add Content-Security-Policy header in Web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="frame-ancestors 'none'" />
    </customHeaders>
  </httpProtocol>
</system.webServer>
<system.web>
  <httpCookies sameSite="Strict" requireSSL="true" />
<system.web>

Regedit check which .NET Framework is installed HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full

CORS for Angular Client

Old SignalR documentation https://docs.microsoft.com/en-us/aspnet/signalr/overview/guide-to-the-api/hubs-api-guide-javascript-client

using System.Web.Http.Cors;

public static class WebApiConfig {
  public static void Register(HttpConfiguration aConfig) {
    config.EnableCors(new EnableCorsAttribute("http://localhost:4200", "*", "*"));
  }
}