OWASP Top Ten to Secure SharePoint Public Site (Part 5)

dIn part 4, we have sanitize response header from SharePoint portal by modifying response header through web.config custom header modification.

Unfortunately, during my testing not all response header can be modified using this technique. Therefore we need to use custom httpmodule to clean-up the response header. Following are the list header that will be removed from the response using this technique:

  1. Server
  2. X-AspNet-Version
  3. X-SharePointHealthScore
  4. SPRequestGuid
  5. X-Powered-By
  6. MicrosoftSharePointTeamServices
  7. SPIisLatency
  8. SPRequestDuration
  9. X-MS-InvokeApp

We also want to add additional response header:

  1. X-Xss-Protection

To do this, first you have to create App_Code folder in the root. Create CustomHttpModule.cs (you can name differently), and tpe following content

And finally our complete web.config will be look like below:

 

Leave a Reply