Why does my nested HttpModule EndRequest event handler not fire?
I'm having some strange behavior when I try to modify my headers with a EndRequest
event handler in a nested HttpModule
on MVC 5.2.2 and .NET 4.6.2. If I don't modify EndRequest
in my top level HttpModule
, it appears that the event handler in the nested HttpModule
never fires, even though I know Init
was called on the nested HttpModule
.
My question is, what is occurring in my code below to prevent the "TestNested" header from appearing in response headers, unless I include the commented out code that adds an EndRequest
event handler that does nothing?
Dynamically register my top level HttpModule
[assembly: PreApplicationStartMethod(typeof(PreApplicationStartClass), "Start")]
namespace MyNamespace
{
public class PreApplicationStartClass
{
public static void Start()
{
DynamicModuleUtility.RegisterModule(typeof(TopHttpModule));
}
}
}
Call Init
on all my other HttpModules
from a single top level module
namespace MyNamespace
{
public class TopHttpModule: IHttpModule
{
private readonly Lazy<IEnumerable<IHttpModule>> _modules =
new Lazy<IEnumerable<IHttpModule>>(RetrieveModules);
private static IEnumerable<IHttpModule> RetrieveModules()
{
return DependencyResolver.Current.GetServices<IHttpModule>();
}
public void Init(HttpApplication context)
{
var modules = _modules.Value;
foreach (var module in modules
.Where(module => module.GetType() != typeof(TopHttpModule)))
{
module.Init(context);
}
context.BeginRequest += (sender, e) =>
{
var app = sender as HttpApplication;
if (app != null)
{
//This shows that NestedHttpModule was found
app.Context.Response.Headers.Add(
"TestModules",
string.Join(",", modules.Select(_ => _.GetType().ToString())));
}
};
//Add this and the NestedHttpModule EndRequest handler works
//context.EndRequest += (sender, e) =>
//{
// //Do Nothing
//};
}
public void Dispose()
{
var modules = _modules.Value;
foreach (var disposable in modules
.Where(disposable => disposable.GetType() != typeof(TopHttpModule)))
{
disposable.Dispose();
}
}
}
}
Modify some header information in an EndRequest
event handler
namespace MyNamespace
{
public class NestedHttpModule: IHttpModule
{
public void Init(HttpApplication context)
{
//This gets called whether or not the TopHttpModule modifies context.EndRequest
MvcHandler.DisableMvcResponseHeader = true;
context.EndRequest += Application_EndRequest;
}
public void Application_EndRequest(object sender, EventArgs e)
{
var app = sender as HttpApplication;
if (app != null && app.Context != null)
{
//This doesn't appear to be called unless TopHttpModule modifies context.EndRequest
app.Context.Response.Headers.Add("TestNested", "Found");
}
}
public void Dispose()
{
//Do Nothing
}
}
}
Solution 1:
I also wanted to modify my headers, but i needed to hide as much as possible. It is the same for Add or Remove or both, it is just headers.
1) You can set MvcHandler.DisableMvcResponseHeader = true;
in the global.asax
protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}
and
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
}
2) You should not really use diff module for almost the same job, instead create a HeadersModule
that only handles header modification, and use the PreSendRequestHeaders
to add or remove any headers that you want. You can always inject some service with list of headers to add or remove.
public class HeadersModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += OnPreSendRequestHeaders;
}
public void Dispose() {
}
void OnPreSendRequestHeaders(object sender, EventArgs e)
{
var r = sender as HttpApplication;
r.Response.Headers.Remove("Server");
r.Response.Headers.Remove("X-AspNetMvc-Version");
r.Response.Headers.Remove("X-AspNet-Version");
r.Response.Headers.Remove("X-Powered-By");
}
}
3) To be extra sure, that some headers show, or "not" show up you can add this to your config file
<system.webServer>
<modules>
<add name="HeadersModule " type="MyNamespace.Modules.HeadersModule " />
</modules>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<remove name="Server" />
<remove name="X-AspNet-Version" />
<remove name="X-AspNetMvc-Version" />
</customHeaders>
<redirectHeaders>
<clear />
</redirectHeaders>
</httpProtocol>
</system.webServer>
4) Test all pages, aka 404, error pages, weird path names, cause they can leak certain headers or show headers that you did not expect.