ASP.NET web application security check list

Things to do before your web application goes live

There are several things to be taken care of during development and before deployment to keep you online web app tip top regarding performance and security.

1. Logging informations

Logging of application behavior is certainly a bit different in debug and release environment. For sure you are going to monitor more in debug/development environment. That is one of the reasons you should follow some guidelines during development. To read more about separating debug and release code check more in article Separate Debug and Release code in C#. This will make your app a bit faster by skipping unnecessary logging while in production environment.

2. Compile application and libraries with Release configuration in Visual Studio

Debug and Release configuration are a bit different and therefore libraries compiled in these two modes will be functional the same but in the end a bit different. You can notice that Release compiled libraries are lighter than debug. That is because some of the debug informations are stripped in release compilation. Therefore release compiled code is faster that debug. Beside point 1 in this article relies on the compilation configuration too, so you'll be killing two flies with one hit.

Vs Config

3. Switch off debug option in web.config

Switching off debug option in web.config will restrict displaying exception message and line when they happen during application running.

<configuration> 
	<system.web>
		<compilation defaultLanguage="c#" debug="false" batch="false" targetFramework="4.0">
	</system.web>
</configuration> 
    

4. Use custom error pages

Generic ASP.NET error pages do not reveal pretty much anything about the exception that happen as debug mode is previously switched off. However thay can reveal some details about the platform an therefore make your application more vulnerable to attacks from outside.

Creation a lightweight user-friendly static html page will do the thing. After creating static html pages for errors there s a configuration to be done in web.config

<configuration> 
  <system.web>
    <customErrors mode="On" defaultRedirect="~/500.html" redirectMode="ResponseRewrite">
      <error statusCode="404" redirect="~/404" />
      <error statusCode="403" redirect="~/403" />
    </customErrors>
  <system.web>
</configuration> 
    

Read more about setting up custom error pages at MSDN online

5. Remove custom headers

Pretty much any IDE or platform adds its own headers. This is not much important for modern browsers but it can be used to determine the platform your application is running on and therefore make it more easier for someone to hunt security holes for that platform. It can be done by a simple web.config update.

<configuration> 
	<system.webServer>
		<httpProtocol>
			<customHeaders>
				<removename="X-Powered-By"/>
			</customHeaders>
		</httpProtocol>
	</system.webServer>
</configuration> 
    

6. Prevent Click-Jacking

Add the following configuration option to prevent your website to load inside iframe.

<configuration> 
	<system.webServer>
		<httpProtocol>
			<customHeaders>
				<add name="X-Frame-Options" value="DENY" />
			</customHeaders>
		</httpProtocol>
	</system.webServer>
</configuration> 
    

More about click-jacking check in article The X-Frame-Options response header

7. Prevent Hot-Linking

Hot-linking is mostly used by fraud websites. It is very easy to make a copy of your website and usually images, styles and other resources are still loaded from your website on these fraud websites. Unless you are gathering some serious data from the users, it does not harm that much but it increases your traffic and bandwidth. You can restrict this with simple URL rewrite configuration.

<configuration> 
	<system.webServer>
	  <rewrite>  
		<rules> 
			<rule name="Prevent hotlinking">
			  <match url=".*\.(gif|jpg|png|css|js)$"/>
			  <conditions>
				<add input="{HTTP_REFERER}" pattern="^$" negate="true" />
				<add input="{HTTP_REFERER}" pattern="^http://dejanstojanovic\.net/.*$" negate="true" />
			  </conditions>
			  <action type="Rewrite" url="/403" />
			</rule>
		</rules> 
	  </rewrite>
	</system.webServer>	  
</configuration> 
    

More about hotlinking you can read in article Restrict image and CSS hotlinking of your ASP.NET website

Disclaimer

Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.


About the author

DEJAN STOJANOVIC

Dejan is a passionate Software Architect/Developer. He is highly experienced in .NET programming platform including ASP.NET MVC and WebApi. He likes working on new technologies and exciting challenging projects

CONNECT WITH DEJAN  Loginlinkedin Logintwitter Logingoogleplus Logingoogleplus

JavaScript

read more

SQL/T-SQL

read more

Umbraco CMS

read more

PowerShell

read more

Comments for this article