Security Considerations
Idea shared by Tony Munson - June 21, 2017 at 10:08 AM
Would it be possible to add some security improvements by default?
Here's a list I think that would help:
1) If HTTPS/SSL is enabled add this to web.config
<httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" />
2) Add to httpRuntime tag in web.config to not show excess info
3) Remove ability to have iframes from different origin in  <httpProtocol><customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
4) Along with #3 could we remove other server unnecessary info in Global.asax.cs
MvcHandler.DisableMvcResponseHeader = true;
5) For customErrors could we have a page for 500 errors? Currently it defaults to machine config 
  • Duplicate a page like /Interface/errors/404.html but for 500 errors
<customErrors mode="RemoteOnly" defaultRedirect="~/Interface/errors/500.html">

Reply to Thread