Add security headers to help protection from injection attacks in c# asp.net

Question

I have a C# asp.net application.It was sent to security assessment and below were the risks.

-Missing "Content-Security-Policy" header
-Missing "X-Content-Type-Options" header
-Missing "X-XSS-Protection" header 
-It was observed that server banner is getting disclosed in HTTP response.
-It was observed that service version is getting disclosed in HTTP response.

I have the below code in the web.cofig file

<httpProtocol>
<customHeaders>

<remove name="X-Powered-By"/>
<add name="X-Frame-Options" value="DENY"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff "/>

</customHeaders>
</httpProtocol>

I thought this will add the headers. But the security team says the issue is not fixed. Is there any alternate for this.And for the Banner disclosure, I don't have access to server. can I fix this within the application. After research I found this: Inside Global.asax I have this code:

protected void Application_PreSendRequestHeaders()
    {
        // Response.Headers.Remove("Server");
        Response.Headers.Set("Server", "My httpd server");
        Response.Headers.Remove("X-AspNet-Version");
        Response.Headers.Remove("X-AspNetMvc-Version");
    }

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        var app = sender as HttpApplication;
        if (app != null && app.Context != null)
        {
            app.Context.Response.Headers.Remove("Server");
        }
    }

Is this the correct fix. Please help

Answer 1

Adding and removing headers during Application_BeginRequest always leads to headaches with your server complaining about not being able to do things after headers are set.

Typically "X-AspNet-Version" and "X-AspNetMvc-Version" are IIS custom headers and removing them depends on the verion of IIS you are using.

With new versions of IIS you can set it in Web.Config:

<system.web>
    <httpRuntime enableVersionHeader="false" />
</system.web>

In older version you need to use IIS manager (see https://www.google.com/search?q=iis+remove++X-AspNet-Version&ie=utf-8&oe=utf-8):

You can remove the MVC header in app_start in Global.asax

MvcHandler.DisableMvcResponseHeader = true;

Your web.config should work fine:

<add name="X-Frame-Options" value="DENY"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff "/>

If not, Application_PreSendRequestHeaders is an appropriate place to add or remove headers well.

HttpContext.Current.Response.Headers.Add("X-Frame-Options", "DENY");
HttpContext.Current.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
HttpContext.Current.Response.Headers.Add("X-Content-Type-Options", "nosniff");
HttpContext.Current.Response.Headers.Remove("Server");

You can use the web developer console on your web browser (usually opened by hitting F12) and click on the network tab to see what headers the server is sending.