Asp.Net Güvenlik Ayarları

Asp.Net Güvenlik Ayarları

Benim yaklaşık her sitede kullandığım ve kullanılmasını tavsiye ettiğim hem güvenlik hem de performans ayarlarıyla alakalı bir yazıdır.

  1. Sunucu Ayarları
    • SSL kullan
    • HSTS aç
    • Eski TLS sürümlerini kapat
    • Gereksiz portları kapat. FTP, RDP gibi sadece geliştiricilere açık olanlara IP filtresi ya da VPN erişimi ekle
    • 8.3 dosya desteğini kapat
    • Her zaman sunucuyu güncel tut
    • Her zaman her şeyi yedekle
  2. Site web.config Ayarları
  <system.web>
    <customErrors mode="RemoteOnly">
      <error statusCode="404" redirect="~/Error/404" />
    </customErrors>
    <httpCookies httpOnlyCookies="true" requireSSL="true" />
    <authentication mode="Forms">
      <forms name="yourAuthCookie" requireSSL="true" loginUrl="login.aspx" protection="All" path="/" />
    </authentication>
  </system.web>
  <system.webServer>
    <staticContent>
      <remove fileExtension=".air" />
      <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package+zip" />
      <remove fileExtension=".svg" />
      <mimeMap fileExtension=".svg" mimeType="image/svg+xml" />
      <remove fileExtension=".woff" />
      <mimeMap fileExtension=".woff" mimeType="font/woff" />
      <remove fileExtension=".woff2" />
      <mimeMap fileExtension=".woff2" mimeType="font/woff2" />
      <remove fileExtension=".less" />
      <mimeMap fileExtension=".less" mimeType="text/css" />
      <remove fileExtension=".mp4" />
      <mimeMap fileExtension=".mp4" mimeType="video/mp4" />
      <remove fileExtension=".json" />
      <mimeMap fileExtension=".json" mimeType="application/json" />
    </staticContent>
    <!-- Ensure the powered by header is not returned -->
    <httpProtocol>
      <customHeaders>
        <remove name="X-Powered-By" />
        <remove name="Vary" />
        <add name="Vary" value="Accept-Encoding" />
        <!-- Protects against Clickjacking attacks. ref.: http://stackoverflow.com/a/22105445/1233379 -->
        <remove name="X-Frame-Options" />
        <add name="X-Frame-Options" value="sameorigin" />
        <!-- Protects against MIME-type confusion attack. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
        <remove name="X-Content-Type-Options" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <!-- Protects against Clickjacking attacks. ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet -->
        <remove name="Strict-Transport-Security" />
        <add name="Strict-Transport-Security" value="max-age=10886400; preload" />
        <!-- Protects against XSS injections. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ -->
        <remove name="X-XSS-Protection" />
        <add name="X-XSS-Protection" value="1; mode=block" />
        <!-- Prevents from leaking referrer data over insecure connections. ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
        <add name="Referrer-Policy" value="no-referrer" />
        <add name="X-Permitted-Cross-Domain-Policies" value="same-origin" />
        <!--https://blog.elmah.io/content-security-policy-in-asp-net-mvc/-->
        <add name="Content-Security-Policy" value="default-src 'self' cdnjs.cloudflare.com" />
        <!--https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/-->
        <add name="Permissions-Policy" value="none" />
      </customHeaders>
    </httpProtocol>
    <!-- Increase the default upload file size limit -->
    <security>
      <requestFiltering>
        <requestLimits maxAllowedContentLength="52428800" />
        <!-- HTTP methods: OPTIONS, HEAD, GET, POST, PUT, DELETE, TRACE, CONNECT
        An ordinary web server supports the HEAD, GET and POST methods to retrieve static and dynamic content (enabling WebDAV on a web server will add support for the PUT and DELETE methods).
        TRACE and TRACK are methods which can be used for debugging purposes. It repeats the content of a request, and an attacker could steal credentials by using a client-side attack.
        These HTTP methods should not be supported on public web servers, as they increase the attack surface.-->
        <verbs allowUnlisted="true">
          <add verb="OPTIONS" allowed="false" />
          <add verb="PUT" allowed="false" />
          <add verb="TRACE" allowed="false" />
          <add verb="DELETE" allowed="false" />
          <add verb="TRACK" allowed="false" />
          <add verb="PATCH" allowed="false" />
        </verbs>
      </requestFiltering>
    </security>
    <httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files">
      <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
      <dynamicTypes>
        <add mimeType="text/*" enabled="true" />
        <add mimeType="message/*" enabled="true" />
        <add mimeType="application/javascript" enabled="true" />
        <add mimeType="application/x-javascript" enabled="true" />
        <add mimeType="application/x-javascript; charset=utf-8" enabled="true" />
        <add mimeType="application/json" enabled="true" />
        <add mimeType="application/json; charset=utf-8" enabled="true" />
        <add mimeType="application/atom+xml" enabled="true" />
        <add mimeType="application/xaml+xml" enabled="true" />
        <add mimeType="application/xop+xml" enabled="true" />
        <add mimeType="application/soap+xml" enabled="true" />
        <add mimeType="application/soap+xml; charset=utf-8" enabled="true" />
        <add mimeType="application/soap+xml; charset=ISO-8895-1" enabled="true" />
        <add mimeType="*/*" enabled="false" />
      </dynamicTypes>
      <staticTypes>
        <add mimeType="text/*" enabled="true" />
        <add mimeType="message/*" enabled="true" />
        <add mimeType="application/javascript" enabled="true" />
        <add mimeType="application/x-javascript" enabled="true" />
        <add mimeType="application/x-javascript; charset=utf-8" enabled="true" />
        <add mimeType="application/json" enabled="true" />
        <add mimeType="application/json; charset=utf-8" enabled="true" />
        <add mimeType="application/atom+xml" enabled="true" />
        <add mimeType="application/xaml+xml" enabled="true" />
        <add mimeType="application/xop+xml" enabled="true" />
        <add mimeType="application/soap+xml" enabled="true" />
        <add mimeType="application/soap+xml; charset=utf-8" enabled="true" />
        <add mimeType="application/soap+xml; charset=ISO-8895-1" enabled="true" />
        <add mimeType="*/*" enabled="false" />
      </staticTypes>
    </httpCompression>
  </system.webServer>