CodeQL fixes - tests applications (#4158)

Kielek · web-flow · commit 651ca69a1fa3 · 2025-04-16T10:33:23.000+02:00
* [CodeQL] Creating an ASP.NET debug binary may reveal sensitive information

* [CodeQL] ASP.NET config file enables directory browsing

* [CodeQL] Missing global error handler

* [CodeQL] Missing X-Frame-Options HTTP header
diff --git a/test/test-applications/integrations/TestApplication.AspNet.NetFramework/Views/Web.config b/test/test-applications/integrations/TestApplication.AspNet.NetFramework/Views/Web.config
@@ -30,6 +30,11 @@
       <remove name="BlockViewHandler"/>
       <add name="BlockViewHandler" path="*" verb="*" preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" />
     </handlers>
+    <httpProtocol>
+      <customHeaders>
+        <add name="X-Frame-Options" value="SAMEORIGIN" />
+      </customHeaders>
+    </httpProtocol>
   </system.webServer>
 
   <system.web>
diff --git a/test/test-applications/integrations/TestApplication.AspNet.NetFramework/Web.config b/test/test-applications/integrations/TestApplication.AspNet.NetFramework/Web.config
@@ -9,9 +9,9 @@
     <add key="UnobtrusiveJavaScriptEnabled" value="true" />
   </appSettings>
   <system.web>
-    <customErrors mode="Off">
+    <customErrors mode="On">
     </customErrors>
-    <compilation debug="true" targetFramework="4.6.2" />
+    <compilation targetFramework="4.6.2" />
     <httpRuntime targetFramework="4.6.2" />
   </system.web>
   <system.webServer>
@@ -22,6 +22,11 @@
       <remove name="TRACEVerbHandler" />
       <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
     </handlers>
+    <httpProtocol>
+      <customHeaders>
+        <add name="X-Frame-Options" value="SAMEORIGIN" />
+      </customHeaders>
+    </httpProtocol>
   </system.webServer>
   <runtime>
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
diff --git a/test/test-applications/integrations/TestApplication.Owin.IIS.NetFramework/Web.config b/test/test-applications/integrations/TestApplication.Owin.IIS.NetFramework/Web.config
@@ -16,4 +16,12 @@
     <compilation debug="true" targetFramework="4.6.2"/>
     <httpRuntime targetFramework="4.6.2"/>
   </system.web>
+
+  <system.webServer>
+    <httpProtocol>
+      <customHeaders>
+        <add name="X-Frame-Options" value="SAMEORIGIN" />
+      </customHeaders>
+    </httpProtocol>
+  </system.webServer>
 </configuration>
diff --git a/test/test-applications/integrations/TestApplication.Wcf.Server.IIS.NetFramework/Web.config b/test/test-applications/integrations/TestApplication.Wcf.Server.IIS.NetFramework/Web.config
@@ -41,12 +41,17 @@
     <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
   </system.serviceModel>
   <system.webServer>
+    <httpProtocol>
+      <customHeaders>
+        <add name="X-Frame-Options" value="SAMEORIGIN" />
+      </customHeaders>
+    </httpProtocol>
     <modules runAllManagedModulesForAllRequests="true"/>
     <!--
         To browse web app root directory during debugging, set the value below to true.
         Set to false before deployment to avoid disclosing web app folder information.
       -->
-    <directoryBrowse enabled="true"/>
+    <directoryBrowse enabled="false"/>
   </system.webServer>
 
 </configuration>
