Add to Global.ascx
protected void Application_BeginRequest(object sender,EventArgs e)
{
//to remove x frame
Response.AddHeader("X-Frame-Options", "DENY");
var application = sender as HttpApplication;
if (application != null && application.Context != null)
{
//to remove server header like iis 8.5
application.Context.Response.Headers.Remove("Server");
}
}
Add to Web.Config
<system.webServer>
<!--this section will add / remove the headers from Response-->
<customHeaders>
<add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-XSS-Protection" value="1; mode=block" />
<!-- avoid clickjacking-->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!--will remove header like ASP .NET version-->
<remove name="X-Powered-By"/>
</customHeaders>
</httpProtocol>
<security >
<requestFiltering>
<!--will not allow below http methods in application-->
<verbs>
<add verb="TRACE" allowed="false" />
<add verb="HEAD" allowed="false" />
<add verb="OPTIONS" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
Add to Web.Config
<system.web>
<customErrors mode="On" defaultRedirect="~/WebPagesError/ErrorPage.aspx" >
</customErrors>
<!--Encrypt ViewState -->
<pages viewStateEncryptionMode="Always" validateRequest="true" enableViewState="true" enableViewStateMac="true" controlRenderingCompatibilityVersion="3.5"/>
<!--request should be httponly -->
<httpCookies httpOnlyCookies="true" />
<!--preventing response to give system info like iis/asp .net etc -->
<httpRuntime enableVersionHeader="false" />
<machineKey validation="3DES"/>
</system.web>
protected void Application_BeginRequest(object sender,EventArgs e)
{
//to remove x frame
Response.AddHeader("X-Frame-Options", "DENY");
var application = sender as HttpApplication;
if (application != null && application.Context != null)
{
//to remove server header like iis 8.5
application.Context.Response.Headers.Remove("Server");
}
}
Add to Web.Config
<system.webServer>
<!--this section will add / remove the headers from Response-->
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-XSS-Protection" value="1; mode=block" />
<!-- avoid clickjacking-->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!--will remove header like ASP .NET version-->
<remove name="X-Powered-By"/>
</customHeaders>
</httpProtocol>
<security >
<requestFiltering>
<!--will not allow below http methods in application-->
<verbs>
<add verb="TRACE" allowed="false" />
<add verb="HEAD" allowed="false" />
<add verb="OPTIONS" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
Add to Web.Config
<system.web>
<customErrors mode="On" defaultRedirect="~/WebPagesError/ErrorPage.aspx" >
</customErrors>
<!--Encrypt ViewState -->
<pages viewStateEncryptionMode="Always" validateRequest="true" enableViewState="true" enableViewStateMac="true" controlRenderingCompatibilityVersion="3.5"/>
<!--request should be httponly -->
<httpCookies httpOnlyCookies="true" />
<!--preventing response to give system info like iis/asp .net etc -->
<httpRuntime enableVersionHeader="false" />
<machineKey validation="3DES"/>
</system.web>