ASP.NET Header Cleanup, HSTS Implementation and Browser Security

on in Blog
Last modified on

Here’s how to improve the security of an ASP.NET powered web site, with no access to the underlying code (controllers and views).

1. The first thing is to automatically (permanently) redirect non-www to www, then http to https.
Check your SSL implementation at

2. The second one is to always force https and to implement HSTS.
By adding the Strict Transport Security header to your site, you secure every visit from your visitors except for the initial visit. That still leaves your site vulnerable to MITM (man-in-the-middle) attacks for that initial visit, so there is a technique called “preloading” that will add your site to a pre-populated domain list. Once your site is on that list, the major browsers that support HSTS preloading will be notified that your site requires SSL, and every visit, even the very first one from a visitor, will automatically be forced through SSL.

3. The third thing is to remove useless headers and to implement advanced browser security.
Check these settings and headers using

These being said, edit your Web.config file in your website root and add the following lines:

            <remove name="Server" />
            <remove name="X-AspNet-Version" />
            <remove name="X-AspNetMvc-Version" />
            <remove name="X-Powered-By" />
            <add name="Strict-Transport-Security" value="max-age=31536000" />
            <add name="X-Frame-Options" value="DENY" />
            <add name="X-XSS-Protection" value="1; mode=block" />
            <add name="X-Content-Type-Options" value="nosniff" />
            <rule name="one domain" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*" />
                    <add input="{HTTP_HOST}" negate="true" pattern="" />
                <action type="Redirect" url="{R:1}" redirectType="Permanent" />
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                <match url="(.*)" />
                    <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
                    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
            <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                <action type="Rewrite" value="max-age=31536000" />

I have implemented these changes for Charles McCarthy – West Cork Properties in an effort to make the site more secure and more trustworthy.

Related posts