Stephen's Wiki

User Tools

Site Tools

Trace:
azure_web_app_security_hardening

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
azure_web_app_security_hardening [2017/11/18 03:24] – [Remove Unnecessary Headers] stephenazure_web_app_security_hardening [2017/11/19 05:39] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Azure Web App Security Hardening ====== ====== Azure Web App Security Hardening ======
 +
 +A bunch of checks can be done [[https://securityheaders.io/|here]].
  
 ===== HTTPS Only ===== ===== HTTPS Only =====
Line 24: Line 26:
 // Add this method:     // Add this method:    
 protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { protected void Application_PreSendRequestHeaders(object sender, EventArgs e) {
 + // Trying to remove this in the web.config doesn't work for some reason...
  Response.Headers.Remove("server");  Response.Headers.Remove("server");
 } }
Line 61: Line 64:
 </system.web> </system.web>
 </code> </code>
 +
 +===== Add Security Headers =====
 +
 +''~/Web.config'':
 +
 +<code xml>
 +<system.webServer>
 + <httpProtocol>
 +  <customHeaders>
 + ...
 + <!-- Add these: -->
 + <add name="Content-Security-Policy" value="upgrade-insecure-requests"/>
 + <add name="X-Frame-Options" value="DENY"/>
 + <add name="X-XSS-Protection" value="1; mode=block"/>
 + <add name="X-Content-Type-Options" value="nosniff"/>
 + <add name="Referrer-Policy" value="origin-when-cross-origin"/>
 + <!-- Max-age is in seconds, 31536000 = one year -->
 + <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
 +  </customHeaders>
 +  </httpProtocol>
 + </system.webServer>
 + </code>
  
azure_web_app_security_hardening.1510975497.txt.gz · Last modified: 2017/11/19 04:24 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki