web.config security in ASP.NET

Customizing your web.config is an easy way to make changes to your web site. Not only can you set app values, connection strings and such, but you can also make security configurations to your web site. I’ve listed various examples below.

Force your web site to transmit cookies over SSL.

<!--Require cookies to be transmitted over SSL-->
<system.web>
   <httpCookies httpOnlyCookies="true" requireSSL="true" lockItem="true" /></system.web>

Custom Headers, auto-redirect, and same-site cookie restrictions.

<system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules runAllManagedModulesForAllRequests="true"/>
    <httpProtocol>
      <customHeaders>
        <clear/>
        <add name="X-FRAME-OPTIONS" value="DENY"/>
        <add name="X-Content-Type-Options" value="nosniff"/>
        <add name="strict-transport-security" value="max-age=31536000; includeSubdomains"/>
        <add name="X-Xss-Protection" value="1; mode=block"/>
        <!--<add name="Content-Security-Policy" value="default-src 'self'; child-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com https://maxcdn.bootstrapcdn.com/ https://fonts.googleapis.com https://oss.maxcdn.com https://ajax.googleapis.com; img-src 'self' https://www.google-analytics.com; style-src 'self' 'unsafe-inline'" />-->
        <add name="Referrer-Policy" value="same-origin"/>
      </customHeaders>
    </httpProtocol>
    <httpErrors>
      <remove statusCode="403" subStatusCode="-1"/>
      <error statusCode="403" prefixLanguageFilePath="" path="https://www.freedomfreelancer.com/" responseMode="Redirect"/>
    </httpErrors>
    <rewrite>
      
    <!--HTTP to HTTPS-->
    
      <rules>
        <rule name="http to https" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="^OFF$" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
        </rule>
      </rules>
      <outboundRules>
        
    <!--Remove Server Response Header-->
    
        <rule name="Remove Server Response Header">
          <match serverVariable="RESPONSE_SERVER" pattern=".*" />
          <action type="Rewrite" value="FreedomFreelancer" />
        </rule>
        
    <!--Cookie samesite restriction-->
    
        <rule name="AddSameSite" preCondition="NoSameSite">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
          <action type="Rewrite" value="{R:0}; SameSite=strict" />
          <conditions>
          </conditions>
        </rule>
        <preConditions>
          <preCondition name="NoSameSite">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=strict" negate="true" />
          </preCondition>
        </preConditions>
      </outboundRules>
    </rewrite>
  </system.webServer>

Helpful sites when doing security scans:

Scroll to Top