A bunch of checks can be done here.
~/App_Start/FilterConfig.cs:
public static void RegisterGlobalFilters(GlobalFilterCollection filters) { // Add this: filters.Add(new RequireHttpsAttribute());
~/Global.asax.cs:
protected void Application_Start() { ... // Add this: MvcHandler.DisableMvcResponseHeader = true; } // Add this method: protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { // Trying to remove this in the web.config doesn't work for some reason... Response.Headers.Remove("server"); }
~/Web.config:
<system.web> ... <!-- Add enableVersionHeader="false" --> <httpRuntime targetFramework="4.5.2" enableVersionHeader="false" /> ...
<system.webServer> ... <!-- Add this section. --> <httpProtocol> <customHeaders> <remove name="X-Powered-By"/> </customHeaders> </httpProtocol> </system.webServer>
~/Web.config:
<system.web> ... <!-- Add this: --> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web>
~/Web.config:
<system.webServer> <httpProtocol> <customHeaders> ... <!-- Add these: --> <add name="Content-Security-Policy" value="upgrade-insecure-requests"/> <add name="X-Frame-Options" value="DENY"/> <add name="X-XSS-Protection" value="1; mode=block"/> <add name="X-Content-Type-Options" value="nosniff"/> <add name="Referrer-Policy" value="origin-when-cross-origin"/> <!-- Max-age is in seconds, 31536000 = one year --> <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/> </customHeaders> </httpProtocol> </system.webServer>