Security Considerations
Idea shared by Tony Munson - June 21, 2017 at 10:08 AM
Proposed
Would it be possible to add some security improvements by default?
 
Here's a list I think that would help:
 
1) If HTTPS/SSL is enabled add this to web.config
 
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
 
 
2) Add to httpRuntime tag in web.config to not show excess info
 
enableVersionHeader="false"
 
 
3) Remove ability to have iframes from different origin in  <httpProtocol><customHeaders>
 
<add name="X-Frame-Options" value="SAMEORIGIN" />
 
 
4) Along with #3 could we remove other server unnecessary info in Global.asax.cs
 
MvcHandler.DisableMvcResponseHeader = true;
 
 
5) For customErrors could we have a page for 500 errors? Currently it defaults to machine config 
 
  • Duplicate a page like /Interface/errors/404.html but for 500 errors
 
<customErrors mode="RemoteOnly" defaultRedirect="~/Interface/errors/500.html">

Reply to Thread