Do Not Disable HTTP Header Checking
Do Not Disable HTTP Header Checking
Microsoft docsDescription
HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained in the header.
Cause
Set System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking to false.
How to fix violations
Set System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking to true. Or, remove the assignment to false because the default value is true.
Example
using System;
using System.Web.Configuration;
class TestClass
{
public void TestMethod()
{
HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
httpRuntimeSection.EnableHeaderChecking = false;
}
}
using System;
using System.Web.Configuration;
class TestClass
{
public void TestMethod()
{
HttpRuntimeSection httpRuntimeSection = new HttpRuntimeSection();
httpRuntimeSection.EnableHeaderChecking = true;
}
}When to suppress
HTTP header continuations rely on headers spanning multiple lines and require new lines in them. If you need to use header continuations, you need to set the System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking property to false. There is a performance impact from checking the headers. If you are certain you are already doing the right checks, turning off this feature can improve the performance of your application. Before you disable this feature, be sure you are already taking the right precautions in this area.