Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

HttpRuntimeSection::EnableHeaderChecking Property

Gets or sets a value that indicates whether the header checking is enabled.

Namespace:  System.Web.Configuration
Assembly:  System.Web (in System.Web.dll)
[ConfigurationPropertyAttribute(L"enableHeaderChecking", DefaultValue = true)]
public:
property bool EnableHeaderChecking {
	bool get ();
	void set (bool value);
}

Property Value

Type: System::Boolean
true if the header checking is enabled; otherwise, false. The default value is true.

The purpose of this property is to enable encoding of the carriage return and newline characters, \r and \n, that are found in response headers.

In outbound response headers, the characters that are represented by the codes 0x1F and below are encoded and also the character 0x7F (delete character). The only exception is that the character 0x09 (the tab character) is unmodified.

This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header.

NoteNote

This property does not apply to the status line itself (status code and status description), but should apply to other headers. Although <httpRuntime> can be set at any level, this property is only applicable at the machine and application level.

When this property is true, which is the default, the \r or \n characters found in a response header are encoded to %0d and %0a. This defeats header-injection attacks by making the injected material part of the same header line. This might break the response but should not open attack vectors against the client. Echoing back untrusted data is never a good idea in any situation, though.

Important noteImportant

HTTP header continuations rely on headers spanning multiple lines and require new lines in them. If you need to use header continuations, you need to set the EnableHeaderChecking property to false. Because there is a performance impact from looking at headers, if you are certain you are already doing the right checks, turning off this feature can improve the performance of your application. Before you disable this feature, be sure you are already taking the right precautions in this area.

The following example shows how to use the EnableHeaderChecking property.

No code example is currently available or this language may not be supported.

.NET Framework

Supported in: 4.5.1, 4.5, 4, 3.5, 3.0, 2.0

Windows Phone 8.1, Windows Phone 8, Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.