Not working on Azure websites

Sep 1, 2013 at 4:26 AM
Edited Sep 1, 2013 at 4:28 AM
Nuget package NWebSec.mvc is not working on Azure websites.

My configuration is as below
<nwebsec>
    <httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
      <suppressVersionHttpHeaders enabled="true" />
      <redirectValidation enabled="true" />
      <securityHttpHeaders>
        <x-Frame-Options policy="Deny"/>
        <x-Content-Type-Options enabled="true" />
      </securityHttpHeaders>
    </httpHeaderSecurityModule>
  </nwebsec>
</configuration>
This is what I see in Firebug
Image
Coordinator
Sep 1, 2013 at 6:18 PM
Edited Sep 1, 2013 at 6:21 PM
Hi,

yes NWebsec doesn't seem to be in effect in your application. You should check that the HttpHeaderSecurityModule is loaded, refer to Configuration to learn more. If you installed the NWebsec packages through NuGet, this configuration should have been added on installation. When the module is up and running with your configuration, you'll see that the X-AspNet-Version and X-AspNetMvc-Version are removed.

I'm running NWebsec on my personal website (an Azure website) with the same configuration as you posted, here's what you'll see there:
Server: Microsoft-IIS/8.0
X-Frame-Options: Deny
X-Content-Type-Options: nosniff
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Note that NWebsec cannot remove the Server and X-Powered-By headers you see for Azure websites, they're added by an intermediate server. Consequently they're "out-of-reach" for NWebsec. It seems Microsoft is using Application Request Routing to load balance Azure websites, and that's where those headers are added. If you run your application in an Azure web role, you'll see that the version headers are removed.

As a final note, the X-Frame-Options and x-content-type-options headers you see are probably emitted either in code, or through other config in your application. When you get NWebsec up and running you'll likely see these headers being added multiple times to responses. In that case, you should consider removing the existing code/config and leave it to NWebsec to handle the headers.

Hope that helps!
Sep 1, 2013 at 8:00 PM
Edited Sep 1, 2013 at 8:00 PM
Thanks for your detailed response. Yes, I am running Azure Website. It does work on my local IIS. I have installed nwebsec.mvc through NuGet package. I agree with you about ARR issue. I found a Azure feedback entry about this issue at Support disabling headers in Azure Web Sites

Thanks for great NuGet package.
Coordinator
Sep 1, 2013 at 8:38 PM
Thanks for the feedback!

It does work on your local IIS but not as an Azure web site? You don't see the X-AspNet-Version and X-AspNetMvc-Version headers when running locally?
Sep 1, 2013 at 10:36 PM
Correct, on local IIS, X-AspNet-Version and X-AspNetMvc-Version headers are not present. Below are the headers in local IIS version.
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
X-Frame-Options: Deny
X-Content-Type-Options: nosniff
Date: Sun, 01 Sep 2013 22:32:29 GMT
Content-Length: 4179

I do have below in config file.
  <httpProtocol>
      <customHeaders>
        <clear />
      </customHeaders>
    </httpProtocol>
Coordinator
Sep 20, 2013 at 7:53 PM
I'm sorry for the tardy response.

It's strange that NWebsec doesn't remove the X-AspNet-Version and X-AspNetMvc-Version headers. Could there be differences in config for the Azure website vs on your localhost? Release/debug configurations for example?
Sep 20, 2013 at 11:59 PM
Sorry for the confusion. NWebse does removes X-AspNet-Version and X-AspNetMvc-Version headers. It does not remove X-Powered-By and Server headers, which I understand are added by an intermediate server which we do not have control.
Coordinator
Sep 21, 2013 at 6:43 PM
Ok, thanks for clearing that up!