void Application_BeginRequest(object sender, EventArgs e) { Common.Common.WriteLogToFile("Start Method", System.Reflection.MethodBase.GetCurrentMethod()); //Added parameters in header for security HttpContext.Current.Response.AddHeader("x-frame-options", "SAMEORIGIN"); //Set this value to 90 days in seconds HttpContext.Current.Response.AddHeader("Strict-Transport-Security", "max-age=7776000"); //To avoid Cross site scripting HttpContext.Current.Response.AddHeader("X-Content-Type-Options", "nosniff"); HttpContext.Current.Response.AddHeader("X-XSS-Protection", "1;mode=block"); //Remove the extra information send in Response Header HttpContext.Current.Response.Headers.Remove("Server"); HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version"); HttpContext.Current.Response.Headers.Remove("X-AspNet-Version"); //Set the paramter for not cashing the data on client side //HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache); #region Changes for Rewriting the Request URL with encrypted query string //Add URL encoding only in Release mode if (!HttpContext.Current.IsDebuggingEnabled) { HttpContext context = HttpContext.Current; var objContextWrapper = new HttpContextWrapper(Context); InsiderTrading.Common.Common objCommon = new InsiderTrading.Common.Common(); if (!objContextWrapper.Request.IsAjaxRequest()) { Common.Common.WriteLogToFile("Ajax request condition", System.Reflection.MethodBase.GetCurrentMethod()); if (context.Request.RawUrl.Contains("?")) { string query = ExtractQuery(context.Request.RawUrl); string path = GetVirtualPath(); DataSecurity objDataSecurity = new DataSecurity(); string sStartStringPart = query.Substring(0, 3); Common.Common.WriteLogToFile("Raw url content ? ", System.Reflection.MethodBase.GetCurrentMethod()); if (objCommon.CheckIfStringIsCorrect(sStartStringPart)) { // Decrypts the query string and rewrites the path. string rawQuery = query.Replace(sStartStringPart, string.Empty); string decryptedQuery = ""; try { decryptedQuery = objDataSecurity.DecryptData(HttpUtility.UrlDecode(rawQuery)); } catch (Exception exp) { Common.Common.WriteLogToFile("Exception occurred ", System.Reflection.MethodBase.GetCurrentMethod(), exp); } context.RewritePath(path, string.Empty, decryptedQuery); } else if (context.Request.HttpMethod == "GET") { if (context.Request.RawUrl.Contains("elmah.axd") == false) { // Encrypt the query string and redirects to the encrypted URL. // Remove if you don't want all query strings to be encrypted automatically. string encryptedQuery = ""; string sStartString = objCommon.getRandomString(); try { encryptedQuery = "?" + sStartString + HttpUtility.UrlEncode(objDataSecurity.EncryptData(query)); } catch (Exception exp) { Common.Common.WriteLogToFile("Exception occurred ", System.Reflection.MethodBase.GetCurrentMethod(), exp); } context.Response.Redirect(path + encryptedQuery, false); } } } } else { Common.Common.WriteLogToFile("HTTP request condition", System.Reflection.MethodBase.GetCurrentMethod()); if (context.Request.RawUrl.Contains("?")) { string query = ExtractQuery(context.Request.RawUrl); string path = GetVirtualPath(); DataSecurity objDataSecurity = new DataSecurity(); string sStartStringPart = query.Substring(0, 3); Common.Common.WriteLogToFile("Raw url content ? ", System.Reflection.MethodBase.GetCurrentMethod()); if (objCommon.CheckIfStringIsCorrect(sStartStringPart)) { // Decrypts the query string and rewrites the path. string rawQuery = query.Replace(sStartStringPart, string.Empty); string decryptedQuery = ""; try { decryptedQuery = objDataSecurity.DecryptData(HttpUtility.UrlDecode(rawQuery)); } catch (Exception exp) { Common.Common.WriteLogToFile("Exception occurred ", System.Reflection.MethodBase.GetCurrentMethod(), exp); } context.RewritePath(path, string.Empty, decryptedQuery); } } } } #endregion Changes for Rewriting the Request URL with encrypted query string Common.Common.WriteLogToFile("End Method", System.Reflection.MethodBase.GetCurrentMethod()); }