HttpRuntimeSection.EnableHeaderChecking Property

Gets or sets a value that indicates whether the header checking is enabled.

Namespace: System.Web.Configuration
Assembly: System.Web (in system.web.dll)

public bool EnableHeaderChecking { get; set; }
/** @property */
public boolean get_EnableHeaderChecking ()

/** @property */
public void set_EnableHeaderChecking (boolean value)

public function get EnableHeaderChecking () : boolean

public function set EnableHeaderChecking (value : boolean)

Not applicable.

Property Value

true if the header checking is enabled; otherwise, false. The default value is true.

The purpose of this property is to enable encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This is to avoid injection attacks that exploit an application that echoes untrusted data contained by the header.


This property does not apply to the status line itself (status code and status description), but should apply to other headers. Although httpRuntime Element (ASP.NET Settings Schema) can be set at any level, this property is only applicable at the machine and application level.

When this property is true, which is the default, the \r or \n characters found in a response header are encoded to %0d and %0a. This defeats header-injection attacks by making the injected material part of the same header line. This might break the response but should not open attack vectors against the client. Echoing back untrusted data is never a good idea in any situation, though.


HTTP header continuations rely on headers spanning multiple lines and require new lines in them. If you need to use header continuations, you need to set the EnableHeaderChecking property to false. Because there is a performance impact from looking at headers, if you are certain you are already doing the right checks, turning off this feature can improve the performance of your application. Before you disable this feature, be sure you are already taking the right precautions in this area.

The following example shows how to use the EnableHeaderChecking property.

// Get the EnableHeaderChecking property value.
Response.Write("EnableHeaderChecking: " +
  configSection.EnableHeaderChecking + "<br>");

// Set the EnableHeaderChecking property value to true.
configSection.EnableHeaderChecking = true;

Windows 98, Windows Server 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0

Community Additions