Stephen's Wiki

User Tools

Site Tools

Trace:
azure_web_app_security_hardening

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
azure_web_app_security_hardening [2017/11/18 03:40] – [HTTPS Only Cookies] stephenazure_web_app_security_hardening [2017/11/19 05:39] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Azure Web App Security Hardening ====== ====== Azure Web App Security Hardening ======
 +
 +A bunch of checks can be done [[https://securityheaders.io/|here]].
  
 ===== HTTPS Only ===== ===== HTTPS Only =====
Line 24: Line 26:
 // Add this method:     // Add this method:    
 protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { protected void Application_PreSendRequestHeaders(object sender, EventArgs e) {
 + // Trying to remove this in the web.config doesn't work for some reason...
  Response.Headers.Remove("server");  Response.Headers.Remove("server");
 } }
Line 72: Line 75:
  ...  ...
  <!-- Add these: -->  <!-- Add these: -->
-  <add name="Content-Security-Policy" value="upgrade-insecure-requests" /> + <add name="Content-Security-Policy" value="upgrade-insecure-requests"/> 
-  <add name="X-Frame-Options" value="DENY" />+ <add name="X-Frame-Options" value="DENY"/> 
 + <add name="X-XSS-Protection" value="1; mode=block"/> 
 + <add name="X-Content-Type-Options" value="nosniff"/> 
 + <add name="Referrer-Policy" value="origin-when-cross-origin"/> 
 + <!-- Max-age is in seconds, 31536000 = one year --> 
 + <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
   </customHeaders>   </customHeaders>
   </httpProtocol>   </httpProtocol>
azure_web_app_security_hardening.1510976434.txt.gz · Last modified: 2017/11/19 04:40 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki