Saturday, May 20, 2017

Securing your ASP.NET MVC website Checklist

First, let me start by saying this is not a comprehensive list, but it is a good start.

Add headers for all requests

Add this to your web.config
<system.webServer>
    <httpProtocol>
      <customHeaders>
        <clear />
<remove name="X-AspNet-Version" />
<remove name="X-AspNetMvc-Version" />
<remove name="X-Powered-By" />
<remove name="Server" />
        <add name="X-XSS-Protection" value="1; mode=block"/>
        <add name="X-Content-Type-Options" value="nosniff"/>
        <add name="Strict-Transport-Security" value="max-age=31536000"/>
<add name="X-Frame-Options" value="DENY" />
<add name="Referrer-Policy" value="no-referrer" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

This does a good job of explaining what some of the header options are

Require Strong Passwords

Go to your AccountController and find the code that creates the PasswordValidator and change it to something like this. Length is the most important thing to consider from a cryptographic complexity. 

NOTE: 12 is the minimum required, but 16 is better to make it sufficiently time consuming to hack.

manager.PasswordValidator = new PasswordValidator
            {
                RequiredLength = 12,
                RequireNonLetterOrDigit = true,
                RequireDigit = true,
                RequireLowercase = true,
                RequireUppercase = true
            };

Remove ASP.NET Technology Headers


In Global.asax add the following to the Application_Start() event.

MvcHandler.DisableMvcResponseHeader = true;

You will also need to add the following to the web.config

<system.web>
<httpRuntime targetFramework="4.5.2" enableVersionHeader="false" />
</system.web>


Remove Server Info from headers

Add the following to Global.asax.cs

protected void Application_PreSendRequestHeaders()
        {
            if (HttpContext.Current != null)
            {
                HttpContext.Current.Response.Headers.Remove("Server");
            }
        }


Also read through security issues that require reviewing your code and maybe some knowledge of how your application is written.

Restrict origin of anything loaded

To be extra safe look at adding creating a white list of what stylesheets, scripts, etc can be loaded. This will take some digging on your site, but is probably worth the effort.


There is a nuget package that does some of this. This looks to be a better choice as it is per controller, etc and explains how to use it.


X-Frame-Options

MVC5 will add in the X-Frame-Option by default. If you want to remove it and make it DENY you will need to add the following line to your Application_Start() method in the Global.asax.cs.

System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;



17 comments:

aashisiva said...

I must thank you for the efforts you have put in penning this site. I am hoping to check out the same high-grade content by you later on as well. In truth, your creative writing abilities has inspired me to get my own, personal blog now..
SEO Training in Chennai
Selenium Training in Chennai
Web Designing Training in Chennai

nilashri said...

Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you..Keep update more information..
Data Science training in Chennai | Data Science Training Institute in Chennai
Data science training in Bangalore | Data Science Training institute in Bangalore
Data science training in pune | Data Science training institute in Pune
Data science online training | online Data Science certification Training-Gangboard
Data Science Interview questions and answers

Ananya said...

This is an awesome post.Really very informative and creative contents. These concept is a good way to enhance the knowledge.I like it and help me to development very well.Thank you for this brief explanation and very nice information.Well, got a good knowledge.

rpa training in chennai
rpa training in bangalore | best rpa training in bangalore | rpa course in bangalore | rpa training institute in bangalore | rpa training in bangalore | rpa online training

Patell Priya said...

Nice post...! I am eagerly waiting for your new updates...
Embedded System Course Chennai
Embedded Training Institutes in Chennai
Corporate Training in Chennai
Power BI Training in Chennai
Linux Training in Chennai
Tableau Training in Chennai
Pega Training in Chennai
Unix Training in Chennai
Primavera Training in Chennai
Embedded Training in Thiruvanmiyur
Embedded Training in Tambaram

sasi said...

It's a looks very awesome article! Thanks a lot of sharing for information.
Python training in chennai
Python course in chennai
Python Training in OMR
AWS course in chennai
Data science training in chennai
Python Training in T.Nagar
Hadoop training in chennai
IELTS coaching in chennai

The India said...


123.hp.com

123.hp.com/setup

eazyclasses said...

I like how this article is composed. Your focuses are sound, unique, new, and fascinating. This data has been made so clear it is highly unlikely to misjudge it. Much thanks to you.


Online Teaching Platforms
Online Live Class Platform
Online Classroom Platforms
Online Training Platforms
Online Class Software
Virtual Classroom Software
Online Classroom Software
Learning Management System
Learning Management System for Schools
Learning Management System for Colleges
Learning Management System for Universities

BestTrainingMumbai said...

It is really great to know you being a responsible writer did take care of the information you have provided in this article. This is elegantly prepared and well-written in my opinion.
SAP training in Mumbai
SAP course in Mumbai
SAP training institute Mumbai

BestTrainingKolkata said...

By reading this article, many things have piled up in my mind which made me think about it. You have put some high quality and valuable information here that any reader would love to read. I sincerely share many of your views in this article.
SAP training in Kolkata
SAP course in kolkata
SAP training institute in Kolkata

devi said...

Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. After reading your article I was amazed. I know that you explain it very well. And I hope that other readers will also experience how I feel after reading your article Data Science Training In Chennai | Certification | Data Science Courses in Chennai | Data Science Training In Bangalore | Certification | Data Science Courses in Bangalore | Data Science Training In Hyderabad | Certification | Data Science Courses in hyderabad | Data Science Training In Coimbatore | Certification | Data Science Courses in Coimbatore | Data Science Training | Certification | Data Science Online Training Course

EXCELR said...

I read this post two times, I like it so much, please try to keep posting & Let me introduce other material that may be good for our community.

praveen said...

Hi,Great information.Thanks for sharing.I always read your blog and get lot of useful information.
hadoop training in chennai

hadoop training in porur

salesforce training in chennai

salesforce training in porur

c and c plus plus course in chennai

c and c plus plus course in porur

machine learning training in chennai

machine learning training in porur

deiva said...

Thanks for the post. It was very interesting and meaningful. I really appreciate it!
oracle training in chennai

oracle training in omr

oracle dba training in chennai

oracle dba training in omr

ccna training in chennai

ccna training in omr

seo training in chennai

seo training in omr

EXCELR said...

Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.data science courses

Prwatech said...

Amazing post thanks for sharing.

Online training for big data
Big Data Hadoop Online Training

Maneesha said...

Your content is nothing short of brilliant in many ways. I think this is engaging and eye-opening material. Thank you so much for caring about your content and your readers.
data analytics courses in hyderabad

Unknown said...

It is imperative that we read blog post very carefully. I am already done it and find that this post is really amazing. data science course in surat