getButterfly
Resume

NAVIGATION

ATTRIBUTION

getButterfly
Dublin, Ireland

All Content Copyright ©2018
getButterfly

ASP.NET Header Cleanup, HSTS Implementation and Browser Security

Here’s how to improve the security of an ASP.NET powered web site, with no access to the underlying code (controllers and views).

1. The first thing is to automatically (permanently) redirect non-www to www, then http to https.
Check your SSL implementation at https://www.ssllabs.com/ssltest/.

2. The second one is to always force https and to implement HSTS.
By adding the Strict Transport Security header to your site, you secure every visit from your visitors except for the initial visit. That still leaves your site vulnerable to MITM (man-in-the-middle) attacks for that initial visit, so there is a technique called “preloading” that will add your site to a pre-populated domain list. Once your site is on that list, the major browsers that support HSTS preloading will be notified that your site requires SSL, and every visit, even the very first one from a visitor, will automatically be forced through SSL.

3. The third thing is to remove useless headers and to implement advanced browser security.
Check these settings and headers using SecurityHeaders.com.

These being said, edit your Web.config file in your website root and add the following lines:

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <remove name="Server" />
            <remove name="X-AspNet-Version" />
            <remove name="X-AspNetMvc-Version" />
            <remove name="X-Powered-By" />
            <add name="Strict-Transport-Security" value="max-age=31536000" />
            <add name="X-Frame-Options" value="DENY" />
            <add name="X-XSS-Protection" value="1; mode=block" />
            <add name="X-Content-Type-Options" value="nosniff" />
        </customHeaders>
    </httpProtocol>
    <rewrite>
        <rules>
            <rule name="one domain" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*" />
                <conditions>
                    <add input="{HTTP_HOST}" negate="true" pattern="www.example.com" />
                </conditions>
                <action type="Redirect" url="https://www.example.com/{R:1}" redirectType="Permanent" />
            </rule>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
                    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                </conditions>
                <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
            </rule>
        </rules>
        <outboundRules>
            <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                <conditions>
                    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                </conditions>
                <action type="Rewrite" value="max-age=31536000" />
            </rule>
        </outboundRules>
    </rewrite>
</system.webServer>

I have implemented these changes for Charles McCarthy – West Cork Properties in an effort to make the site more secure and more trustworthy.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


My Battle Tested Recommendations

Jetpack
Dreamhost
WordPress.com
CodeCanyon
SEMrush

Disclaimer: These recommendations contain affiliate links.