OWASP Top Ten to Secure SharePoint Public Site (Part 5)

Aug 23, 2016

dIn part 4, we have sanitize response header from SharePoint portal by modifying response header through web.config custom header modification. Unfortunately, during my testing not all response header can be modified using this technique. Therefore we need to use custom httpmodule to clean-up the response header. Following are the list header that will be removed from the response using this technique:

  1. Server
  2. X-AspNet-Version
  3. X-SharePointHealthScore
  4. SPRequestGuid
  5. X-Powered-By
  6. MicrosoftSharePointTeamServices
  7. SPIisLatency
  8. SPRequestDuration
  9. X-MS-InvokeApp

We also want to add additional response header:

  1. X-Xss-Protection

To do this, first you have to create App_Code folder in the root. Create CustomHttpModule.cs (you can name differently), and tpe following content https://gist.github.com/cakriwut/de3fb3fba489cfdf1b3558c1a4b447c4 And finally our complete web.config will be look like below: https://gist.github.com/cakriwut/9b941c634bc5216c199aea0c8c379424

General O365 Security SharePoint SharePoint
Avatar
Riwut Libinuko
Sr. Cloud Solution Architect

My research interests include distributed robotics, mobile computing and programmable matter.

comments powered by Disqus

Related