void Application_BeginRequest(object sender, EventArgs e)
{
Common.Common.WriteLogToFile("Start Method", System.Reflection.MethodBase.GetCurrentMethod());
//Added parameters in header for security
HttpContext.Current.Response.AddHeader("x-frame-options", "SAMEORIGIN");
//Set this value to 90 days in seconds
HttpContext.Current.Response.AddHeader("Strict-Transport-Security", "max-age=7776000");
//To avoid Cross site scripting
HttpContext.Current.Response.AddHeader("X-Content-Type-Options", "nosniff");
HttpContext.Current.Response.AddHeader("X-XSS-Protection", "1;mode=block");
//Remove the extra information send in Response Header
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
//Set the paramter for not cashing the data on client side
//HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
#region Changes for Rewriting the Request URL with encrypted query string
//Add URL encoding only in Release mode
if (!HttpContext.Current.IsDebuggingEnabled)
{
HttpContext context = HttpContext.Current;
var objContextWrapper = new HttpContextWrapper(Context);
InsiderTrading.Common.Common objCommon = new InsiderTrading.Common.Common();
if (!objContextWrapper.Request.IsAjaxRequest())
{
Common.Common.WriteLogToFile("Ajax request condition", System.Reflection.MethodBase.GetCurrentMethod());
if (context.Request.RawUrl.Contains("?"))
{
string query = ExtractQuery(context.Request.RawUrl);
string path = GetVirtualPath();
DataSecurity objDataSecurity = new DataSecurity();
string sStartStringPart = query.Substring(0, 3);
Common.Common.WriteLogToFile("Raw url content ? ", System.Reflection.MethodBase.GetCurrentMethod());
if (objCommon.CheckIfStringIsCorrect(sStartStringPart))
{
// Decrypts the query string and rewrites the path.
string rawQuery = query.Replace(sStartStringPart, string.Empty);
string decryptedQuery = "";
try
{
decryptedQuery = objDataSecurity.DecryptData(HttpUtility.UrlDecode(rawQuery));
}
catch (Exception exp)
{
Common.Common.WriteLogToFile("Exception occurred ", System.Reflection.MethodBase.GetCurrentMethod(), exp);
}
context.RewritePath(path, string.Empty, decryptedQuery);
}
else if (context.Request.HttpMethod == "GET")
{
if (context.Request.RawUrl.Contains("elmah.axd") == false)
{
// Encrypt the query string and redirects to the encrypted URL.
// Remove if you don't want all query strings to be encrypted automatically.
string encryptedQuery = "";
string sStartString = objCommon.getRandomString();
try
{
encryptedQuery = "?" + sStartString + HttpUtility.UrlEncode(objDataSecurity.EncryptData(query));
}
catch (Exception exp)
{
Common.Common.WriteLogToFile("Exception occurred ", System.Reflection.MethodBase.GetCurrentMethod(), exp);
}
context.Response.Redirect(path + encryptedQuery, false);
}
}
}
}
else
{
Common.Common.WriteLogToFile("HTTP request condition", System.Reflection.MethodBase.GetCurrentMethod());
if (context.Request.RawUrl.Contains("?"))
{
string query = ExtractQuery(context.Request.RawUrl);
string path = GetVirtualPath();
DataSecurity objDataSecurity = new DataSecurity();
string sStartStringPart = query.Substring(0, 3);
Common.Common.WriteLogToFile("Raw url content ? ", System.Reflection.MethodBase.GetCurrentMethod());
if (objCommon.CheckIfStringIsCorrect(sStartStringPart))
{
// Decrypts the query string and rewrites the path.
string rawQuery = query.Replace(sStartStringPart, string.Empty);
string decryptedQuery = "";
try
{
decryptedQuery = objDataSecurity.DecryptData(HttpUtility.UrlDecode(rawQuery));
}
catch (Exception exp)
{
Common.Common.WriteLogToFile("Exception occurred ", System.Reflection.MethodBase.GetCurrentMethod(), exp);
}
context.RewritePath(path, string.Empty, decryptedQuery);
}
}
}
}
#endregion Changes for Rewriting the Request URL with encrypted query string
Common.Common.WriteLogToFile("End Method", System.Reflection.MethodBase.GetCurrentMethod());
}
