Simple measure to improve your .NET web application security

The recently published vulnerability at Moonpig makes it clear that there is no place for complacency when it comes to securing the applications we create, even APIs.

The starting point for securing a web application or web site application involves implementing measures for the following:

Authentication
Authorisation
SQL injection prevention
XSS prevention
CSRF prevention
DOS prevention
DDOS prevention
Encrypting sensitive data

I won't be covering strategies for those here, OWASP has plenty of guidance. Assuming you have taken good measures on these, here are some simple steps you can take to further secure a. NET web application.

Avoid leaking internal implementation details.

Remove response headers

Server
In global.asax.cs:

protected void Application_PreSendRequestHeaders(object sender, EventArgs e)

{

HttpContext.Current.Response.Headers.Remove("Server");

}

X-AspNet-Version
In the web.config:

<system.web>

</system.web>

X-AspNetMvc-Version
In global.asax.cs:

protected void Application_Start()

{

MvcHandler.DisableMvcResponseHeader = true;

}

X-Powered-By
In the web.config:

<system.webServer>

</customHeaders>

</httpProtocol>

</system.webServer>

Disable tracing, debugging and verbose error messages

In the web.config:

<system.web>

</system.web>

Prevent click-jacking

Add response header

X-Frame-Options: SameOrigin
In the web.config:

<system.webServer>

</customHeaders>

</httpProtocol>

</system.webServer>

Prevent listing in search engines

Add a "robots.txt" file to the root of your site, containing the following:

User-agent:*
Disallow: /

Obscurity alone is insufficient to ensure application security.

I hope these simple measures help you to improve the security of your application.

software project musings

Search This Blog