...
There are two settings that control the operation of this feature, both found in the <InProcess> configuration element.
The checkSpoofing property is a flag that is enabled when omitted, and is set only to explicitly disable the feature.
...
The spoofKey value is intended to be a long, random string of alphanumerics that is hidden from clients. The SP uses this value to distinguish between requests from a client and requests to which the SP has already added headers. It explicitly creates an extra header containing this key, and the theory is that if the client can't guess it, it can't fool the SP into bypassing detection. The SP assumes if the header and value is present, the request has already passed the detection step.
| Note |
|---|
Disable dumpingarbiraryarbitrary/all request headersFor obvious reasons, you MUST prevent the client from accessing any server-side scripts that might expose the Scripts like this are often used in debugging problems by "dumping" the request variables available to applications. Note that blocking or removing such scripts is a standard server-hardening measure that should not be unusual or unfamiliar. |
...