Table of Contents

Azure Web App Security Hardening

A bunch of checks can be done here.

HTTPS Only

~/App_Start/FilterConfig.cs:

public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
    // Add this:
    filters.Add(new RequireHttpsAttribute());

Remove Unnecessary Headers

~/Global.asax.cs:

protected void Application_Start() {
	...
	// Add this:
	MvcHandler.DisableMvcResponseHeader = true;
}
 
// Add this method:    
protected void Application_PreSendRequestHeaders(object sender, EventArgs e) {
	// Trying to remove this in the web.config doesn't work for some reason...
	Response.Headers.Remove("server");
}

~/Web.config:

<system.web>
	...
	<!-- Add enableVersionHeader="false" -->
	<httpRuntime targetFramework="4.5.2" enableVersionHeader="false" />
	...
<system.webServer>
	...
	<!-- Add this section. -->
	<httpProtocol>
		<customHeaders>
			<remove name="X-Powered-By"/>
		</customHeaders>
	</httpProtocol>
</system.webServer>

HTTPS Only Cookies

~/Web.config:

<system.web>
	...
	<!-- Add this: -->
	<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>

Add Security Headers

~/Web.config:

<system.webServer>
	<httpProtocol>
 		<customHeaders>
			...
			<!-- Add these: -->
				<add name="Content-Security-Policy" value="upgrade-insecure-requests"/>
				<add name="X-Frame-Options" value="DENY"/>
				<add name="X-XSS-Protection" value="1; mode=block"/>
				<add name="X-Content-Type-Options" value="nosniff"/>
				<add name="Referrer-Policy" value="origin-when-cross-origin"/>
				<!-- Max-age is in seconds, 31536000 = one year -->
				<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/>
 		</customHeaders>
 	</httpProtocol>
 </system.webServer>