Ensures user cookie is encrypted, removes ASP.Net headers from being returned in our response. Ensures

that our auth cookie is httponly.
2013-04-25 13:25:25 -10:00
parent 34163625fe
commit 46858af1ed
5 changed files with 37 additions and 31 deletions
--- a/src/Umbraco.Web/UmbracoModule.cs
+++ b/src/Umbraco.Web/UmbracoModule.cs
@@ -424,6 +424,15 @@ namespace Umbraco.Web
 						LogHelper.Debug<UmbracoModule>("Total milliseconds for umbraco request to process: " + DateTime.Now.Subtract(UmbracoContext.Current.ObjectCreated).TotalMilliseconds);
 					}					
 				};
+
+            //disable asp.net headers (security)
+		    app.PreSendRequestHeaders += (sender, args) =>
+		        {
+                    var httpContext = ((HttpApplication)sender).Context;
+                    httpContext.Response.Headers.Remove("Server");
+                    //this doesn't normally work since IIS sets it but we'll keep it here anyways.
+                    httpContext.Response.Headers.Remove("X-Powered-By");
+		        };
 		}

 		public void Dispose()