C Sharp Header Checking Disabled
Description
Detects when HTTP header checking is explicitly disabled in C# applications through the EnableHeaderChecking property. Disabling header validation can expose applications to header injection attacks and malicious header manipulation, potentially compromising application security.
Detection Strategy
• Identifies assignments or configurations where EnableHeaderChecking property is present in the code
• Verifies if the EnableHeaderChecking property is set in an HttpRuntime context
• Reports a vulnerability when EnableHeaderChecking is set to a false or disabled state
• Specifically targets C# web applications using HttpRuntime configuration
Vulnerable code example
using System.Web.Configuration;
class Program {
void ConfigureRuntime() {
// Vulnerable: Disabling header checking exposes app to header injection attacks
HttpRuntimeSection httpConfig = new HttpRuntimeSection();
httpConfig.EnableHeaderChecking = false;
...✅ Secure code example
using System.Web.Configuration;
class Program {
void ConfigureRuntime() {
// Safe: Keep header checking enabled to prevent header injection attacks
HttpRuntimeSection httpConfig = new HttpRuntimeSection();
httpConfig.EnableHeaderChecking = true;
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.