0

I wanted to know the best way to implement the following in ASP.NET. I have never used these directives so if you could kindly give me a sample code, It would be really helpful.

  1. HTTP/1.0 Pragma header
  2. HTTP/1.1 Cache - Control header
  3. Backdated Expires Header
abatishchev
  • 98,240
  • 88
  • 296
  • 433
RAHUL KATE
  • 29
  • 5
  • 1
    ASP.NET is hosted inside IIS, which already implements HTTP 1.0 and 1.1 and their cache-related HTTP headers. What is it you're trying to do that isn't working? – Joe White Oct 31 '11 at 14:29
  • Where can I validate that in IIS? There was a security assessment done on the website we developed and the recommendations were as below: HTTP/1.0 Pragma Header was not used, HTTP:/1.1 Cache - Control header was set to private and lastly BackDated expires header was not used or set to -1. Where can I validate these items. I am new to ASP.NET especially these features. Please help me out. Thanks, – RAHUL KATE Oct 31 '11 at 14:37

1 Answers1

1

As you mentioned on your question, they are simply HTTP Headers. Some of these headers, for example Cache-Control were introduced with HTTP v1.1. Others were introduced since HTTP 1.0 (Pragma), etc.

All you need to do is add them to your Response via Response.AddHeader("Key","value");

For example:

Response.AddHeader("Cache-Control","public");

UPDATE Now that you provide more details...

I don't particularly see any security issues with not setting these headers on your response. What's the issue with no caching pages according to the auditing company? If anything, your website is more secure by not allowing browsers to cache your pages.

Update 2 One way to define your pragma header on the markup is to have this:

<meta http-equiv="pragma" content="no-cache">

Right after the opening <head> element of your aspx page. Similarly for all other headers.

Icarus
  • 63,293
  • 14
  • 100
  • 115
  • Thanks lcarus, but I dont want to touch the code behind. Is there any way to implement it website wide? Like using web.config? or such. – RAHUL KATE Oct 31 '11 at 14:40
  • @RAHULKATE yes, you can add them on the markup directly. But again, from a security stand point, I **strongly disagree** that setting them is a good idea. Not for nothing most financial institutions disable caching on their protected areas of their websites. – Icarus Oct 31 '11 at 14:45
  • @RAHULKATE I hope your company didn't get audited by this company/individual: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants – Icarus Oct 31 '11 at 14:49
  • Nope it wasnt that company. So, what I understand is that the most secure way of adding those headers is in the Code Behind. How do I add the Pragma header though? Can you please give me a small example to add the http/1.0 Pragma header? – RAHUL KATE Oct 31 '11 at 14:53
  • @lcarus, I surely will read it over the weekend. Its a big thread, the preface is definitely interesting. Providing usernames and passwords in plain text??? Thats the biggest security threat.... – RAHUL KATE Oct 31 '11 at 14:56
  • @RAHULKATE I will explain how you can add the pragma header on the markup. Will go to a meeting and comeback – Icarus Oct 31 '11 at 15:01
  • @lcarus, thanks a ton. I kind of knew that approach, but then I will have to modify all the relevant .aspx pages. Is there any other way to do that, such that I do it once and it get applies across the web pages. If possible I would like to avoid to modify all the .aspx pages. – RAHUL KATE Oct 31 '11 at 16:12
  • @RAHULKATE: I don't think there's a way to do it from the web.config but I could be wrong. Anyway, I would do it at the IIS level instead: http://www.iis.net/ConfigReference/system.webServer/httpProtocol/customHeaders – Icarus Oct 31 '11 at 16:50