-
Remove the Server version headers in the web.config
<system.web> <httpRuntime enableVersionHeader="false" /> </system.web>
-
Disable version header in the Global ASAX file in web application
MvcHandler.DisableMvcResponseHeader = true;
-
Remove the CORS policy that allows * for any URL, any header and any method
-
Disable debug publish using the default release config, use the following
<system.web> <compilation debug=”false“>
-
Disable the directory browsing
<system.webServer> <directoryBrowse enabled="false" /> </system.webServer>
-
Use Custom errors
FOR IE 6 <customErrors mode="On"> <error code="404" path="404.html" /> <error code="500" path="500.html" /> </customErrors> FOR IE 7+ <httpErrors errorMode="Custom"> <remove statusCode="404"/> <error statusCode="404" path="/404.html" responseMode="ExecuteURL"/> </httpErrors>
-
Set all cookies to be secure using AlwaysSecure option in the CookieAuthenticationOptions
<system.web> <httpCookies httpOnlyCookies=”true“>
-
Use the same origin headers [Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options]
<system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>
-
Try to host the applications over HTTPS and use HSTS along with the URL Rewrite for HTTP to HTTPS
<system.webServer> <rewrite> <rules> <rule name="HTTP to HTTPS redirect" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" /> </rule> </rules> </rewrite> </system.webServer>
-
Never use session in Web Api
-
Disable tracing unless for tracing any temporary issue
<system.web> <trace enabled=”false” localOnly=”true“>
-
Never pass the user inputs to the DB without Parameterized Query
-
Always use the Antiforgery token in all posts [Form post / AJAX post / Logoff etc...]
-
Notifications
You must be signed in to change notification settings - Fork 1
How to secure a .Net based application on the web
License
d-saravanan/secure.netapps
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
About
How to secure a .Net based application on the web
Topics
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published