Stephen's Wiki

User Tools

Site Tools

Trace: bass_tab_within_temptation_faster replace_fg_falcon_headlight_bulbs azure_web_app_security_hardening
azure_web_app_security_hardening

This is an old revision of the document!

Table of Contents

Azure Web App Security Hardening

HTTPS Only

~/App_Start/FilterConfig.cs: 

public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
    // Add this:
    filters.Add(new RequireHttpsAttribute());

Remove Unnecessary Headers

~/Global.asax.cs: 

protected void Application_Start() {
	...
	// Add this:
	MvcHandler.DisableMvcResponseHeader = true;
}
 
// Add this method:    
protected void Application_PreSendRequestHeaders(object sender, EventArgs e) {
	// Trying to remove this in the web.config doesn't work for some reason...
	Response.Headers.Remove("server");
}

~/Web.config: 

<system.web>
	...
	<!-- Add enableVersionHeader="false" -->
	<httpRuntime targetFramework="4.5.2" enableVersionHeader="false" />
	...
<system.webServer>
	...
	<!-- Add this section. -->
	<httpProtocol>
		<customHeaders>
			<remove name="X-Powered-By"/>
		</customHeaders>
	</httpProtocol>
</system.webServer>

HTTPS Only Cookies

~/Web.config: 

<system.web>
	...
	<!-- Add this: -->
	<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>

Add Security Headers

~/Web.config: 

<system.webServer>
	<httpProtocol>
 		<customHeaders>
			...
			<!-- Add these: -->
 			<add name="Content-Security-Policy" value="upgrade-insecure-requests" />
 			<add name="X-Frame-Options" value="DENY" />
 		</customHeaders>
 	</httpProtocol>
 </system.webServer>
 
azure_web_app_security_hardening.1510976486.txt.gz · Last modified: 2017/11/19 04:41 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki