Stephen's Wiki

User Tools

Site Tools

Trace:
azure_web_app_security_hardening

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
azure_web_app_security_hardening [2017/11/18 02:30] – created stephenazure_web_app_security_hardening [2017/11/19 05:39] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Azure Web App Security Hardening ====== ====== Azure Web App Security Hardening ======
 +
 +A bunch of checks can be done [[https://securityheaders.io/|here]].
  
 ===== HTTPS Only ===== ===== HTTPS Only =====
Line 10: Line 12:
     filters.Add(new RequireHttpsAttribute());     filters.Add(new RequireHttpsAttribute());
 </code> </code>
 +
 +===== Remove Unnecessary Headers =====
 +
 +''~/Global.asax.cs'':
 +
 +<code c#>
 +protected void Application_Start() {
 + ...
 + // Add this:
 + MvcHandler.DisableMvcResponseHeader = true;
 +}
 +
 +// Add this method:    
 +protected void Application_PreSendRequestHeaders(object sender, EventArgs e) {
 + // Trying to remove this in the web.config doesn't work for some reason...
 + Response.Headers.Remove("server");
 +}
 +</code>
 +
 +''~/Web.config'':
 +
 +<code xml>
 +<system.web>
 + ...
 + <!-- Add enableVersionHeader="false" -->
 + <httpRuntime targetFramework="4.5.2" enableVersionHeader="false" />
 + ...
 +</code>
 +
 +<code xml>
 +<system.webServer>
 + ...
 + <!-- Add this section. -->
 + <httpProtocol>
 + <customHeaders>
 + <remove name="X-Powered-By"/>
 + </customHeaders>
 + </httpProtocol>
 +</system.webServer>
 +</code>
 +
 +===== HTTPS Only Cookies =====
 +
 +''~/Web.config'':
 +
 +<code xml>
 +<system.web>
 + ...
 + <!-- Add this: -->
 + <httpCookies httpOnlyCookies="true" requireSSL="true" />
 +</system.web>
 +</code>
 +
 +===== Add Security Headers =====
 +
 +''~/Web.config'':
 +
 +<code xml>
 +<system.webServer>
 + <httpProtocol>
 +  <customHeaders>
 + ...
 + <!-- Add these: -->
 + <add name="Content-Security-Policy" value="upgrade-insecure-requests"/>
 + <add name="X-Frame-Options" value="DENY"/>
 + <add name="X-XSS-Protection" value="1; mode=block"/>
 + <add name="X-Content-Type-Options" value="nosniff"/>
 + <add name="Referrer-Policy" value="origin-when-cross-origin"/>
 + <!-- Max-age is in seconds, 31536000 = one year -->
 + <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
 +  </customHeaders>
 +  </httpProtocol>
 + </system.webServer>
 + </code>
 +
azure_web_app_security_hardening.1510972234.txt.gz · Last modified: 2017/11/19 03:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki