Dublin, Ireland

All Content Copyright ©2019

ASP.NET Header Cleanup, HSTS Implementation and Browser Security

Here’s how to improve the security of an ASP.NET powered web site, with no access to the underlying code (controllers and views).

1. The first thing is to automatically (permanently) redirect non-www to www, then http to https.
Check your SSL implementation at

2. The second one is to always force https and to implement HSTS.
By adding the Strict Transport Security header to your site, you secure every visit from your visitors except for the initial visit. That still leaves your site vulnerable to MITM (man-in-the-middle) attacks for that initial visit, so there is a technique called “preloading” that will add your site to a pre-populated domain list. Once your site is on that list, the major browsers that support HSTS preloading will be notified that your site requires SSL, and every visit, even the very first one from a visitor, will automatically be forced through SSL.

3. The third thing is to remove useless headers and to implement advanced browser security.
Check these settings and headers using

These being said, edit your Web.config file in your website root and add the following lines:

            <remove name="Server" />
            <remove name="X-AspNet-Version" />
            <remove name="X-AspNetMvc-Version" />
            <remove name="X-Powered-By" />
            <add name="Strict-Transport-Security" value="max-age=31536000" />
            <add name="X-Frame-Options" value="DENY" />
            <add name="X-XSS-Protection" value="1; mode=block" />
            <add name="X-Content-Type-Options" value="nosniff" />
            <rule name="one domain" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*" />
                    <add input="{HTTP_HOST}" negate="true" pattern="" />
                <action type="Redirect" url="{R:1}" redirectType="Permanent" />
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                <match url="(.*)" />
                    <add input="{HTTP_HOST}" pattern="localhost" negate="true" />
                    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
            <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
                    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                <action type="Rewrite" value="max-age=31536000" />

I have implemented these changes for Charles McCarthy – West Cork Properties in an effort to make the site more secure and more trustworthy.

Added by Ciprian on Tuesday, June 26, 2018 in Blog

Do you want better SEO? More traffic? More conversions? More growth? We help companies exponentially grow their traffic and conversions, while outranking their competitors. With more than 10 years of experience, we’ve learned what is valuable to our clients.
SEO Dublin | SEO Malta

Related Articles

My Battle Tested Recommendations
Disclaimer: These recommendations contain affiliate links.


Privacy Policy