azure_web_app_security_hardening
Table of Contents
Azure Web App Security Hardening
A bunch of checks can be done here.
HTTPS Only
~/App_Start/FilterConfig.cs
:
public static void RegisterGlobalFilters(GlobalFilterCollection filters) { // Add this: filters.Add(new RequireHttpsAttribute());
Remove Unnecessary Headers
~/Global.asax.cs
:
protected void Application_Start() { ... // Add this: MvcHandler.DisableMvcResponseHeader = true; } // Add this method: protected void Application_PreSendRequestHeaders(object sender, EventArgs e) { // Trying to remove this in the web.config doesn't work for some reason... Response.Headers.Remove("server"); }
~/Web.config
:
<system.web> ... <!-- Add enableVersionHeader="false" --> <httpRuntime targetFramework="4.5.2" enableVersionHeader="false" /> ...
<system.webServer> ... <!-- Add this section. --> <httpProtocol> <customHeaders> <remove name="X-Powered-By"/> </customHeaders> </httpProtocol> </system.webServer>
HTTPS Only Cookies
~/Web.config
:
<system.web> ... <!-- Add this: --> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web>
Add Security Headers
~/Web.config
:
<system.webServer> <httpProtocol> <customHeaders> ... <!-- Add these: --> <add name="Content-Security-Policy" value="upgrade-insecure-requests"/> <add name="X-Frame-Options" value="DENY"/> <add name="X-XSS-Protection" value="1; mode=block"/> <add name="X-Content-Type-Options" value="nosniff"/> <add name="Referrer-Policy" value="origin-when-cross-origin"/> <!-- Max-age is in seconds, 31536000 = one year --> <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains"/> </customHeaders> </httpProtocol> </system.webServer>
azure_web_app_security_hardening.txt · Last modified: 2017/11/19 05:39 by 127.0.0.1