I would like to encrypt a subsection of a web.config (not a top level section). for example:
<SomeSection>
<settings>
<add name="foo" value="bar" />
</settings>
<secretSettings>
<add name="password" value="foobar" />
</secretSettings>
</SomeSection>
Is there a way to encrypt the <secretSettings> subsection similar to this method? Note I cannot simply move the subsection into a main section because there is code which is outside of my control that is currently using it.
Related
I am trying to implement Content-Security-Policy with the NWebSec NuGet package
The basic configuration level is working at this moment but trying to add nonce for each script and style in the project.
How to add a nonce to the below tags for inline?
#Styles.Render("~/Content/css/file")
For BundleConfig,
bundles.Add(new ScriptBundle("~/Content/Scripts").Include(
"~/Content/Scripts/General.js"
));
I tried with a new class and it's working but with the NWebSec package I going nowhere.
Below is their solution with #Html.CspScriptNonce() directives and this is working.
<script #Html.CspScriptNonce()>document.write("Hello world")</script>
<style #Html.CspStyleNonce()>
h1 {
font-size: 10em;
}
</style>
The solution I tried was to use #Styles.RenderFormat in the following way:
#Styles.RenderFormat("<link href=\"{0}\" rel=\"stylesheet\" " + #Html.CspStyleNonce() +"/>","~/Content/css/file")
When using NWebSec with ASP.Net MCV Bundles, you can not apply a Nonce, but luckily you don't need to.
There might be something you need to change in your web.config though. In the nwebsec > httpHeaderSecurityModule > securityHttpHeaders > content-Security-Policy section, make sure that self="true" for both style-src and script-src. self="true" is the default, though, so if you don't need those elements for any other declarations, you can omit them.
Here's the nwebsec section in my web.config. I'm using both style and script bundles, and have no third-party scripts.
<nwebsec>
<httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
<securityHttpHeaders>
<content-Security-Policy enabled="true">
<default-src self="true" />
<font-src self="true">
<add source="https://fonts.gstatic.com" />
</font-src>
<object-src none="true" />
<style-src self="true">
<add source="https://fonts.googleapis.com" />
</style-src>
<base-uri none="true" />
</content-Security-Policy>
</securityHttpHeaders>
</httpHeaderSecurityModule>
</nwebsec>
I'm following https://jeffreyfritz.com/2017/11/modern-configuration-for-asp-net-4-7-1-with-configurationbuilders/ for my ASP.NET 4.7.2 application but we have this in the Web.config:
<connectionStrings configSource="myconfig.config"/>
I was hoping I could transiently set the values in myconfig.config using environment variables by changing this block to:
<connectionStrings configBuilders="Env" configSource="myconfig.config"/>
But this gives me a compiler error:
A section using 'configSource' may contain no other attributes or elements.
Here's what myconfig.config looks like:
<?xml version="1.0" encoding="utf-8"?>
<connectionStrings>
<add name="db1" connectionString="conn1" providerName="prov1" />
<add name="db2" connectionString="conn2" providerName="prov2" />
<add name="db3" connectionString="conn3" providerName="prov3" />
</connectionStrings>
Any ideas? I've been trying to search up how to make the two work in conjuction to no avail!
The solution, for anyone facing this, is to put the "configBuilders" attribute on the target file as so:
<?xml version="1.0" encoding="utf-8"?>
<connectionStrings configBuilders="Env">
<add name="db1" connectionString="conn1" providerName="prov1" />
<add name="db2" connectionString="conn2" providerName="prov2" />
<add name="db3" connectionString="conn3" providerName="prov3" />
</connectionStrings>
Also, because another issue popped up after.. make sure you are using "configSource" as an attribute and not "file".
I have a large form that gets executed and spits out a query string that very long. sometimes it's only 50 characters and sometimes it's reaching 50k characters. The problem is, i notice once the query string hits about 7500 characters, i get
"The connection was reset. The connection to the server was reset while the page was loading."
I get this in explorer, firefox and chrome. I have adjusted my web.config file to allow for many characters and sizes, but i am still getting this error after 7500 characters. (that is not an exact number its a guesstimate)
I'm not sure if I am missing something or not
Here is my web.config file
<configuration>
<system.webServer>
<httpErrors errorMode="Detailed" />
<asp scriptErrorSentToBrowser="true"/>
</system.webServer>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxQueryString="90000"/>
<requestLimits maxUrl="90000">
</requestFiltering>
</security>
</system.webServer>
<system.web>
<httpRuntime
maxQueryStringLength="90000"
maxUrlLength="90000"
relaxedUrlToFileSystemMapping="true"
executionTimeout = "90000"
requestLengthDiskThreshold = "90000"
shutdownTimeout = "00:06:00"
appRequestQueueLimit="90000"
maxRequestLength="90000"
enable = "True" />
</system.web>
<system.web>
<customErrors mode="Off"/>
<compilation debug="true"/>
</system.web>
</configuration>
the form
<% validateForm "addscheduleform4.asp" %>
<form method="post" name="addUs">
<% validateError %>
<ALOT OF INPUTS>
<input type="submit" name="save" value="Submit" style="height:50px; width:200px">
</form>
After pressing submit, url as requested:
http://example.com/addscheduleform4.asp?102111=none&302121=1&202171=0&202122=0&102172=none&102123=none&302133=1&102231=none&302241=1&202242=0&102243=none&302253=1&102351=none&302361=1&302312=1&202362=0&202313=0&102363=none&302373=1&202541=0&102542=none&302552=1&202553=0&102721=none&302731=1&202732=0&102733=none&302743=1&202911=0&102961=none&302971=1&102912=none&302922=1&202972=0&202923=0&102973=none&203011=0&103061=none&303071=1&103012=none&303022=1&203072=0&203023=0&103073=none&203131=0&103132=none&303142=1&203143=0&203251=0&103252=none&303262=1&303213=1&203263=0&203621=0&103671=none&103622=none&303632=1&203633=0&104021=none&304031=1&204032=0&104033=none&304043=1&104141=none&304151=1&204152=0&104153=none&304163=1&202111=0&102161=none&302171=1&102112=none&302122=1&202172=0&202123=0&102173=none&202231=0&102232=none&302242=1&202243=0&202351=0&102352=none&302362=1&302313=1&202363=0&102531=none&302541=1&202542=0&102543=none&302553=1&202721=0&102771=none&102722=none&302732=1&202733=0&302911=1&202961=0&202912=0&102962=none&302972=1&102913=none&302923=1&202973=0&303011=1&203061=0&203012=0&103062=none&303072=1&103013=none&303023=1&203073=0&103121=none&303131=1&203132=0&103133=none&303143=1&103241=none&303251=1&203252=0&103253=none&303263=1&103611=none&303621=1&203671=0&203622=0&103672=none&103623=none&303633=1&204021=0&104071=none&104022=none&304032=1&204033=0&204141=0&104142=none&304152=1&204153=0&302111=1&202161=0&202112=0&102162=none&302172=1&102113=none&302123=1&202173=0&102221=none&302231=1&202232=0&102233=none&302243=1&102341=none&302351=1&202352=0&102353=none&302363=1&202531=0&102532=none&302542=1&202543=0&102711=none&302721=1&202771=0&202722=0&102772=none&102723=none&302733=1&102951=none&302961=1&302912=1&202962=0&202913=0&102963=none&302973=1&103051=none&303061=1&303012=1&203062=0&203013=0&103063=none&303073=1&203121=0&103171=none&103122=none&303132=1&203133=0&203241=0&103242=none&303252=1&203253=0&203611=0&103661=none&303671=1&103612=none&303622=1&203672=0&203623=0&103673=none&104011=none&304021=1&204071=0&204022=0&104072=none&104023=none&304033=1&104131=none&304141=1&204142=0&104143=none&304153=1&102121=none&302131=1&202132=0&102133=none&302143=1&102241=none&302251=1&202252=0&102253=none&302263=1&202311=0&102361=none&302371=1&102312=none&302322=1&202372=0&202323=0&102373=none&202551=0&102552=none&302562=1&302513=1&202563=0&102731=none&302741=1&202742=0&102743=none&302753=1&202921=0&102971=none&102922=none&302932=1&202933=0&203021=0&103071=none&103022=none&303032=1&203033=0&203141=0&103142=none&303152=1&203153=0&303211=1&203261=0&203212=0&103262=none&303272=1&103213=none&303223=1&203273=0&203631=0&103632=none&303642=1&203643=0&104031=none&304041=1&204042=0&104043=none&304053=1&104151=none&304161=1&304112=1&204162=0&204113=0&104163=none&304173=1&202121=0&102171=none&102122=none&302132=1&202133=0&202241=0&102242=none&302252=1&202253=0&302311=1&202361=0&202312=0&102362=none&302372=1&102313=none&302323=1&202373=0&102541=none&302551=1&202552=0&102553=none&302563=1&202731=0&102732=none&302742=1&202743=0&102911=none&302921=1&202971=0&202922=0&102972=none&102923=none&302933=1&103011=none&303021=1&203071=0&203022=0&103072=none&103023=none&303033=1&103131=none&303141=1&203142=0&103143=none&303153=1&103251=none&303261=1&303212=1&203262=0&203213=0&103263=none&303273=1&103621=none&303631=1&203632=0&103633=none&303643=1&204031=0&104032=none&304042=1&204043=0&204151=0&104152=none&304162=1&304113=1&204163=0&102131=none&302141=1&202142=0&102143=none&302153=1&102251=none&302261=1&302212=1&202262=0&202213=0&102263=none&302273=1&202321=0&102371=none&102322=none&302332=1&202333=0&302511=1&202561=0&202512=0&102562=none&302572=1&102513=none&302523=1&202573=0&102741=none&302751=1&202752=0&102753=none&302763=1&202931=0&102932=none&302942=1&202943=0&203031=0&103032=none&303042=1&203043=0&203151=0&103152=none&303162=1&303113=1&203163=0&103211=none&303221=1&203271=0&203222=0&103272=none&103223=none&303233=1&203641=0&103642=none&303652=1&203653=0&104041=none&304051=1&204052=0&104053=none&304063=1&204111=0&104161=none&304171=1&104112=none&304122=1&204172=0&204123=0&104173=none&202131=0&102132=none&302142=1&202143=0&202251=0&102252=none&302262=1&302213=1&202263=0&102311=none&302321=1&202371=0&202322=0&102372=none&102323=none&302333=1&102551=none&302561=1&302512=1&202562=0&202513=0&102563=none&302573=1&202741=0&102742=none&302752=1&202753=0&102921=none&302931=1&202932=0&102933=none&302943=1&103021=none&303031=1&203032=0&103033=none&303043=1&103141=none&303151=1&203152=0&103153=none&303163=1&203211=0&103261=none&303271=1&103212=none&303222=1&203272=0&203223=0&103273=none&103631=none&303641=1&203642=0&103643=none&303653=1&204041=0&104042=none&304052=1&204053=0&304111=1&204161=0&204112=0&104162=none&304172=1&104113=none&304123=1&204173=0&102141=none&302151=1&202152=0&102153=none&302163=1&202211=0&102261=none&302271=1&102212=none&302222=1&202272=0&202223=0&102273=none&202331=0&102332=none&302342=1&202343=0&102511=none&302521=1&202571=0&202522=0&102572=none&102523=none&302533=1&102751=none&302761=1&302712=1&202762=0&202713=0&102763=none&302773=1&202941=0&102942=none&302952=1&202953=0&203041=0&103042=none&303052=1&203053=0&303111=1&203161=0&203112=0&103162=none&303172=1&103113=none&303123=1&203173=0&103221=none&303231=1&203232=0&103233=none&303243=1&203651=0&103652=none&303662=1&303613=1&203663=0&104051=none&304061=1&304012=1&204062=0&204013=0&104063=none&304073=1&204121=0&104171=none&104122=none&304132=1&204133=0&202141=0&102142=none&302152=1&202153=0&302211=1&202261=0&202212=0&102262=none&302272=1&102213=none&302223=1&202273=0&102321=none&302331=1&202332=0&102333=none&302343=1&202511=0&102561=none&302571=1&102512=none&302522=1&202572=0&202523=0&102573=none&202751=0&102752=none&302762=1&302713=1&202763=0&102931=none&302941=1&202942=0&102943=none&302953=1&103031=none&303041=1&203042=0&103043=none&303053=1&103151=none&303161=1&303112=1&203162=0&203113=0&103163=none&303173=1&203221=0&103271=none&103222=none&303232=1&203233=0&103641=none&303651=1&203652=0&103653=none&303663=1&204051=0&104052=none&304062=1&304013=1&204063=0&104111=none&304121=1&204171=0&204122=0&104172=none&104123=none&304133=1&102151=none&302161=1&302112=1&202162=0&202113=0&102163=none&302173=1&202221=0&102271=none&102222=none&302232=1&202233=0&202341=0&102342=none&302352=1&202353=0&102521=none&302531=1&202532=0&102533=none&302543=1&202711=0&102761=none&302771=1&102712=none&302722=1&202772=0&202723=0&102773=none&202951=0&102952=none&302962=1&302913=1&202963=0&203051=0&103052=none&303062=1&303013=1&203063=0&103111=none&303121=1&203171=0&203122=0&103172=none&103123=none&303133=1&103231=none&303241=1&203242=0&103243=none&303253=1&303611=1&203661=0&203612=0&103662=none&303672=1&103613=none&303623=1&203673=0&204011=0&104061=none&304071=1&104012=none&304022=1&204072=0&204023=0&104073=none&204131=0&104132=none&304142=1&204143=0&202151=0&102152=none&302162=1&302113=1&202163=0&102211=none&302221=1&202271=0&202222=0&102272=none&102223=none&302233=1&102331=none&302341=1&202342=0&102343=none&302353=1&202521=0&102571=none&102522=none&302532=1&202533=0&302711=1&202761=0&202712=0&102762=none&302772=1&102713=none&302723=1&202773=0&102941=none&302951=1&202952=0&102953=none&302963=1&103041=none&303051=1&203052=0&103053=none&303063=1&203111=0&103161=none&303171=1&103112=none&303122=1&203172=0&203123=0&103173=none&203231=0&103232=none&303242=1&203243=0&103651=none&303661=1&303612=1&203662=0&203613=0&103663=none&303673=1&304011=1&204061=0&204012=0&104062=none&304072=1&104013=none&304023=1&204073=0&104121=none&304131=1&204132=0&104133=none&304143=1&area=1&schedid=193&save=Submit&
ok so basically this was in general a complete wrong way of setting up the form, causing it to create a query string with characters in the thousands.
<form method="post" name="addUs" action="addscheduleform4.asp">
<ALOT OF INPUTS>
<input type="submit" name="Submit" value="Submit" style="height:50px; width:200px">
</form>
That is this correct way to set up that form to properly POST. if the post is not fully filled out properly, the form defaults to "GET".
the page it goes to was reading inputs as:
pp73 = getUserInput(request.querystring("30"&pidlocation&"73"),100)
when it should be
pp73 = getUserInput(request.form("30"&pidlocation&"73"),100)
So because of the improper form setup, request.form was not working causing me to change it to request.querystring, but now with a complete POST form method, it is now switched back to request.form, and pass data without querystrings, solving the long query issue
I've traditionally always put #using directives in my ASP.NET Razor pages at the top, along with the #model directive. However, for my overall layout, I want to make sure the DOCTYPE declaration is at the very beginning of the document, so I want to push the #using down a bit. Would you following be valid?
<!DOCTYPE html>
<html>
#using My.Library;
<head>
<title>Test web page</title>
...
Also, is there any documentation on where the #using directive can be used in Razor pages? I can't seem to find any. Is it valid to use it after some other Razor code, for example, or does it have to appear first?
It is valid and you can use #using any where before that you need that library.
MSDN:
HTML markup lines can be included at any part of the code.
so you can put DOCTYPE at the top of page.
Up to .Net 4.5...
There is a web.config file in the Views folder, you can add namespaces in there, that is global to all views:
e.g:
<namespaces>
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.Routing" />
<add namespace="System.Globalization" />
<add namespace="My.Library" />
</namespaces>
I'm trying to log the current pages URL as part of our NLog layout. I've scoured the NLog layout variables and have come up with nothing.
Does anyone know how to get the current page URL as a variable for the layout? Also is it possible just to extract the domain name so this can be used in the EventLog source attribute?
Use the Aspnet-request layout renderer.
<target xsi:type="Trace"
name="trace"
layout="${message} ${aspnet-request:serverVariable=Url}" />
You have full access to the request properties.
I tested many approached and only "item" seems to work in regards to http://msdn.microsoft.com/en-us/library/ms524602.aspx
method = ${aspnet-request:item=HTTP_METHOD}
url with query string = ${aspnet-request:item=HTTP_URL}
user agent / browser = ${aspnet-request:item=HTTP_USER_AGENT}
and so on...
UPDATE
Additionally to my answer above (I don't remember if I knew it back then or not) but I found somewhere (also don't remember where, was a while ago) that NLog.Extended.dll must be also referenced to use functionality relevant to ASP.NET logging ie. layouts with ${aspnet-...
Answer for .NET Core as I tried the above before finding that the above does not work for .NET Core
THE FOLLOWING DO NOT WORK FOR .NET CORE
${aspnet-request:serverVariable=Url}
${aspnet-request:item=HTTP_URL}
Instead use:
${aspnet-request-url}
${aspnet-request-querystring}
e.g.
<target name="jsonFile" xsi:type="File" fileName="log.json" archiveNumbering="DateAndSequence" archiveAboveSize="5000000" maxArchiveFiles="10">
<layout xsi:type="JsonLayout">
<attribute name="time" layout="${longdate}" />
<attribute name="level" layout="${level:upperCase=true}"/>
<attribute name="message" layout="${message}" />
<attribute name="exception" layout="${exception:format=ToString,StackTrace:maxInnerExceptionLevel=2}" />
<attribute name="machineName" layout="${machinename}" />
<attribute name="ip" layout="${aspnet-request-ip}" />
<attribute name="method" layout="${aspnet-request-method}" />
<attribute name="url" layout="${aspnet-request-url}" />
<attribute name="query" layout="${aspnet-request-querystring}" />
<attribute name="postedBody" layout="${aspnet-request-posted-body}" />
<attribute name="userAgent" layout="${aspnet-request-useragent}" />
</layout>
</target>
For more see:
https://nlog-project.org/config/?tab=layout-renderers&search=package:nlog.web.aspnetcore