====== Azure Web App Security Hardening ======

A bunch of checks can be done [[https://securityheaders.io/|here]].

===== HTTPS Only =====

''~/App_Start/FilterConfig.cs'':

<code c#>
public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
    // Add this:
    filters.Add(new RequireHttpsAttribute());
</code>

===== Remove Unnecessary Headers =====

''~/Global.asax.cs'':

<code c#>
protected void Application_Start() {
	...
	// Add this:
	MvcHandler.DisableMvcResponseHeader = true;
}

// Add this method:    
protected void Application_PreSendRequestHeaders(object sender, EventArgs e) {
	// Trying to remove this in the web.config doesn't work for some reason...
	Response.Headers.Remove("server");
}
</code>

''~/Web.config'':

<code xml>
<system.web>
	...
	<!-- Add enableVersionHeader="false" -->
	<httpRuntime targetFramework="4.5.2" enableVersionHeader="false" />
	...
</code>

<code xml>
<system.webServer>
	...
	<!-- Add this section. -->
	<httpProtocol>
		<customHeaders>
			<remove name="X-Powered-By"/>
		</customHeaders>
	</httpProtocol>
</system.webServer>
</code>

===== HTTPS Only Cookies =====

''~/Web.config'':

<code xml>
<system.web>
	...
	<!-- Add this: -->
	<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
</code>

===== Add Security Headers =====

''~/Web.config'':

<code xml>
<system.webServer>
	<httpProtocol>
 		<customHeaders>
			...
			<!-- Add these: -->
				<add name="Content-Security-Policy" value="upgrade-insecure-requests"/>
				<add name="X-Frame-Options" value="DENY"/>
				<add name="X-XSS-Protection" value="1; mode=block"/>
				<add name="X-Content-Type-Options" value="nosniff"/>
				<add name="Referrer-Policy" value="origin-when-cross-origin"/>
				<!-- Max-age is in seconds, 31536000 = one year -->
				<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
 		</customHeaders>
 	</httpProtocol>
 </system.webServer>
 </code>