2

For example, I want to set "X-Content-Type-Options":"nosniff" to prevent mime sniffing, I could set in web.config, 

<add name="X-Content-Type-Options" value="nosniff" />

I also could set the value in global.asax.cs

protected void Application_PreSendRequestHeaders(Object source, EventArgs e) {
   HttpContext.Current.Request.Headers.Add("X-Content-Type-Options", "nosniff");
}

What is the difference?

Should I set the header on both places?

Is there any best practice for that?

Ali Soltani
  • 9,589
  • 5
  • 30
  • 55
allencharp
  • 1,101
  • 3
  • 14
  • 31
  • 2
    If you have it in the web.config, you can change it later, at runtime, without having to recompile and redeploy your app ..... – marc_s Dec 19 '17 at 06:02
  • Hi @marc_s , not quit clear about your meaning... could you give more specific details... Thanks ! – allencharp Dec 19 '17 at 06:22
  • 2
    If you define your headers in **code** (in the `global.asax.cs`) they're part of your application and **cannot** be changed - unless you change your code and re-deploy your application. Having them in the `web.config` allows you to change these values just by simply editing the `web.config` - no code changes needed, no redeployment needed etc. - don't know what more "specific details" I can tell you ... – marc_s Dec 19 '17 at 06:56
  • Possible duplicate of [How can I add “X-Content-Type-Options: nosniff” in Global.asax.cs to prevent mime sniff](https://stackoverflow.com/questions/47880445/how-can-i-add-x-content-type-options-nosniff-in-global-asax-cs-to-prevent-mim) – VIGNESH ARUNACHALAM Dec 19 '17 at 09:13

0 Answers0