ASP.NET APP SECURITY:
The worst 5 mistakes
in the web.config file:
Custom
errors and stack traces:
Display Safe
Error Messages:
Request
validation:
Session
Fixation:
Deploying-IT
Encrypting
and Decrypting Configuration Sections
Using App Folder Path
Encrypting a Web Configuration
Section: aspnet_regiis -pef
"connectionStrings" "AppPhysicalPath" -prov
"RsaProtectedConfigurationProvider"
Decrypting a Web Configuration
Section: aspnet_regiis -pdf
"connectionStrings" "AppPhysicalPath"
Where AppPhysicalPath Example:
"C:\AppFolderName"
Using App Name
Encrypting a Web Configuration
Section: aspnet_regiis -pe
"connectionStrings" -app "/SampleApplication" -prov
"RsaProtectedConfigurationProvider"
Decrypting a Web Configuration
Section: aspnet_regiis -pd
"connectionStrings" -app "/SampleApplication"
Removing
Unnecessary HTTP Headers in IIS and ASP.NET
1.
ASP.NET Web.Config event and add the
following:
<system.web>
<httpRuntime
enableVersionHeader="false" />
</system.web>
2.
MVC Application_Start event and add the
following:
MvcHandler.DisableMvcResponseHeader
= true;
3.
X-Powered-By:
This one is actually easily configurable straight out
of the box in IIS 7.x, just jump right into the IIS configuration
of the website and locate the “HTTP Response Headers” item. Remove X-Power-By.
Secure
cookies
1.
HTTP only cookies:
ASP.NET Code:
Response.Cookies.Add(new
HttpCookie("HttpOnlyCookie")
{
Value = "I can't be read by JavaScript",
HttpOnly = true
});
Web.Config
<httpCookies
httpOnlyCookies="true" />
2.
Secure cookies:
ASP.NET Code:
Response.Cookies.Add(new
HttpCookie("SecureCookie")
{
Value =
"I won't be sent by the browser over a non-secure connection",
Secure =
true
});
Web.Config:
<httpCookies
requireSSL="true" />
CLICKJACKING
1.
From Global File
void
Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.AddHeader("x-frame-options",
"DENY");
}
2.
From IIS:
Open Internet
Information Services (IIS) Manager.
In the Connections pane on
the left side, expand the Sites folder and select the site that you want to
protect.
Double-click the HTTP
Response Headers icon in the feature list in the middle.
In the Actions pane on the
right side, click Add.
In the dialog box that
appears, type X-Frame-Options in the Name field and type SAMEORIGIN
in the Value field.
Click OK to save your
changes.