HttpHeaderSetter and cache management

Jan 27, 2014 at 11:45 AM
Edited Jan 27, 2014 at 1:17 PM
Hello,

After having upgraded one of our applications to the latest version of NWebsec, it appeared that our custom ASP.NET output caching profiles stopped working correctly. The root cause was easy to find and is due to HttpHeaderSetter, which now removes or overrides HTTP headers with hard-coded values, even if they have been excluded by the configuration policy (https://nwebsec.codeplex.com/SourceControl/diff/file/view/c4ac062e6d7ab6ef5685361ed5b7043d2f5c974b?fileId=Source%2FNWebsec%2FHttpHeaders%2FHttpHeaderSetter.cs)

This is particularly sad for caching-related headers as you can't apply fine-grained caching policies anymore. Is there a reason for overriding all these attributes when they are supposed to be ignore?

Thanks!
Coordinator
Jan 28, 2014 at 8:42 PM
Thank you for reporting this, I have successfully reproduced the behaviour.

Yes there is a reason for the change in behaviour, NWebsec was initially designed to do its work in the PreSendRequestHeaders event - an event that should no longer be used according to What not to do in ASP.NET, and what to do instead . To move NWebsec off the deprecated event in a somewhat timely manner, I had to do some workarounds under the "old" design. It is now clear that they were not optimal for all scenarios.

I'm currently working on redesigning the internals of NWebsec, not only because of the death of the PreSendRequestHeaders event, but also to support NWebsec OWIN middleware.

I consider the issue you report severe enough to mandate a bugfix in the current version of NWebsec. I'm looking into that now and will provide an updated version as soon as I've figured out a reasonable fix.

Thanks again for your detailed problem report, it helped me quickly understand the issue.
Jan 28, 2014 at 9:21 PM
Wooo, thank you very much for this great explanation, that's always interesting to understand why changes have been made.
Thanks for the link too, that's a nice opportunity to dig into old code ; I'm sure I've used the PreSendRequestHeaders event to remove the Server HTTP header somewhere...

That's amazing to see that NWebsec is still continued and will be upgraded to support OWIN, thanks for this great project!
If you need someone to test your new OWIN middleware, I'd be happy to participate ;)
Coordinator
Jan 30, 2014 at 7:38 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Coordinator
Jan 30, 2014 at 8:27 PM
Thanks again for reporting this, I've just pushed NWebsec 3.0.1 to NuGet. It should solve the issue, let me know if you have any further issues. I've added an integration test to ensure that this does not break again.

I assume the PreSendRequestHeaders event is safe for "old code" where requests aren't handled asynchronously. But for new code, stay away from it. :)

Yes, the work on NWebsec continues as time allows. I'm looking forward to having the new version ready, including OWIN middleware. Thanks for your offer to help with the testing, I'll keep that in mind as I'm closing in on the next release. :)
Jan 30, 2014 at 9:17 PM
The new version published on Nuget seems to be working like a charm, thank you very much for your patience and your promptness :)