How can I add “X-Content-Type-Options: nosniff” in Global.asax.cs to prevent mime sniff

Question

I have modified the web.config as to prevent the mime sniff.

<configuration>
   <system.webServer>
      <httpProtocol>
         <customHeaders>
            <add name="X-Content-Type-Options" value="nosniff" />
         </customHeaders>
      </httpProtocol>
   </system.webServer>
</configuration>

but code scan tool still told me that global.asax.cs has the vulnerabilities

Application_BeginRequest is either empty or does not include a function call to set the X-Content-Type-Options to nosniff or attempts to remove that header.

So how to set X-Content-Type-Options: nosniff in Global.asax.cs ?

@VIGNESHARUNACHALAM we don't want to handle the problem in IIS. because sometimes the code is not deployed in IIS.... we want to handle directly in code level — allencharp, Dec 19 '17 at 05:41
IIS version is important because if it's < v7 the settings need to go in the system.web section rather than the system.webServer. — Stuart Dobson, Jul 17 '19 at 04:11

score 6 · Answer 1 · answered Dec 19 '17 at 06:46

6

Using in Web.Config

To add these headers, go to the <customHeaders> node previously added and add those headers inside the <customHeaders> node.

<httpprotocol> 
 <customheaders> 
    <add name="X-Content-Type-Options" value="nosniff "/>
 </customheaders> 
</httpprotocol>

Using global.asax.cs

protected void Application_PreSendRequestHeaders(Object source, EventArgs e) {
   HttpContext.Current.Request.Headers.Add("X-Content-Type-Options", "nosniff");
}

answered Dec 19 '17 at 06:46

VIGNESH ARUNACHALAM

652
4
24

@allencharp for more details,http://www.insiderattack.net/2014/04/configuring-secure-iis-response-headers.html & https://vulncat.hpefod.com/en/detail?id=desc.structural.dotnet.html5_mime_sniffing – VIGNESH ARUNACHALAM Dec 19 '17 at 06:48
Hi what's the difference of the two ways... should I implement both ways on the code or just one of them ? – allencharp Dec 19 '17 at 06:55
If you have it in the web.config, you can change it later, at runtime, without having to recompile and redeploy your app. – VIGNESH ARUNACHALAM Dec 19 '17 at 06:58
If you define your headers in code (in the global.asax.cs) they're part of your application and cannot be changed - unless you change your code and re-deploy your application. Having them in the web.config allows you to change these values just by simply editing the web.config - no code changes needed, no redeployment needed etc. – VIGNESH ARUNACHALAM Dec 19 '17 at 06:58

How can I add “X-Content-Type-Options: nosniff” in Global.asax.cs to prevent mime sniff

1 Answers1

Linked