'Asp.net web.config syntax issue
I am working on asp.net application for removing security vulnerabilities. The vulnerability which I want to discuss are 'X-XSS Protection' and 'clickjacking'.
I went through searching and followed this link. I just used the solution under the head 'Using <customHeaders> in Web.Config'
After this when I run the application I got 500 internal server error: HTTP Error 500.19 - Internal Server Error. In the detailed error information under Config Error label it says that Unrecognized element 'add'.
After this I removed the closing tags </add> and just left with <add name="X-Frame-Options" value="DENY"/> and now the application runs properly.
On following points I need some help:
- Why the syntax given in above link does not work?
- Can anyone explain the significance of below lines:
<add name="X-Frame-Options" value="DENY"/> <add name="X-XSS-Protection" value="1; mode=block"/> <add name="X-Content-Type-Options" value="nosniff "/>
Little bit I know that these are additional security headers. Thanks
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|