0

Could you please let me know how can we check the origin header server-wide in IIS to prevent CSRF through the configuration change only without adding a custom HTTP module in IIS?

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
user1773981
  • 1
  • You could use [URL Rewrite](https://www.iis.net/downloads/microsoft/url-rewrite). – phbits May 08 '20 at 03:57
  • Possible duplicate https://security.stackexchange.com/questions/91164/how-to-check-the-origin-header-server-wide-in-iis-to-prevent-csrf/91258 – phbits May 08 '20 at 03:58
  • Be aware that this is *NOT* sufficient to protect against CSRF in older browsers. IE11 still does not send the Origin header for non-CORS requests; there may be others that also don't. Additionally, if you have any state-changing GET request handlers (which in theory you shouldn't but in practice almost everybody does, such as `/logout`), those might not send the Origin header even in newer browsers. – CBHacking May 03 '21 at 10:04

1 Answers1

0

get a variable out of 'Host' 'Core' https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-3.1

get the cfg domain, from within server https://stackoverflow.com/questions/40020135/how-to-get-the-current-domain-name-in-startup-cs

I'm unsure how it will look like in code yet. I'm guessing u don't want to add anything to bin directory.

to check client get IP https://stackoverflow.com/questions/735350/how-to-get-a-users-client-ip-address-in-asp-net

New chrome and Firefoxes and Edge will do check for your, but old ones, its up to your Javascript and C# to do the rest I think.

Georgiy Chipunov
  • 1
  • 1