Secure Your ASP.NET App with Proven Configuration Settings

Boost safety and performance with easy-to-apply server and web.config settings

Posted by Hüseyin Sekmenoğlu on March 09, 2021 Application Security

Securing your ASP.NET applications is critical not only for protecting user data but also for maintaining system stability and performance. Below is a comprehensive guide containing the server and application-level configurations I regularly apply and recommend.


๐Ÿ”ง Server-Level Settings

โœ… Use SSL

Always enforce HTTPS to ensure encrypted communication between clients and your server.

โœ… Enable HSTS

HTTP Strict Transport Security (HSTS) forces secure connections and protects against protocol downgrade attacks.

๐Ÿšซ Disable Old TLS Versions

Restrict the server to use only secure TLS versions like 1.2 or 1.3.

๐Ÿ”’ Close Unnecessary Ports

Block ports like FTP or RDP from public access. Restrict them using IP whitelisting or VPN access only.

๐Ÿšซ Disable 8.3 File Naming

Disabling short (8.3) file name generation enhances performance and security on NTFS systems.

๐Ÿ“… Keep the Server Updated

Regularly update the operating system and software to patch known vulnerabilities.

๐Ÿ’พ Always Backup Everything

Backups are your last line of defense against catastrophic failures or cyberattacks.


โš™๏ธ Web.config Configuration

Configure your web.config file for maximum security and optimized performance.

๐Ÿ” Custom Errors and Authentication

<system.web>
  <customErrors mode="RemoteOnly">
    <error statusCode="404" redirect="~/Error/404" />
  </customErrors>
  <httpCookies httpOnlyCookies="true" requireSSL="true" />
  <authentication mode="Forms">
    <forms name="yourAuthCookie" requireSSL="true" loginUrl="login.aspx" protection="All" path="/" />
  </authentication>
</system.web>
  • Custom Errors: Prevent leaking stack traces to users.

  • HttpOnly and Secure Cookies: Prevent client-side access and enforce secure transmission.

  • Forms Authentication: Secure cookie usage with encryption and SSL.


๐Ÿงพ MIME Type Management

Remove unneeded MIME types and reconfigure them for security.

<staticContent>
  <remove fileExtension=".air" />
  <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package+zip" />
  <!-- Repeat for .svg, .woff, .less, .mp4, .json -->
</staticContent>

This minimizes exposure to MIME-based vulnerabilities by explicitly defining content types.


๐Ÿ“ค HTTP Headers for Security

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
    <remove name="Vary" />
    <add name="Vary" value="Accept-Encoding" />
    <add name="X-Frame-Options" value="sameorigin" />
    <add name="X-Content-Type-Options" value="nosniff" />
    <add name="Strict-Transport-Security" value="max-age=10886400; preload" />
    <add name="X-XSS-Protection" value="1; mode=block" />
    <add name="Referrer-Policy" value="no-referrer" />
    <add name="X-Permitted-Cross-Domain-Policies" value="same-origin" />
    <add name="Content-Security-Policy" value="default-src 'self' cdnjs.cloudflare.com" />
    <add name="Permissions-Policy" value="none" />
  </customHeaders>
</httpProtocol>

Each header plays a vital role:

  • X-Frame-Options: Prevents clickjacking.

  • X-Content-Type-Options: Blocks MIME-sniffing.

  • HSTS: Forces HTTPS.

  • X-XSS-Protection: Stops reflected XSS.

  • Referrer-Policy: Prevents leaking referrer data.

  • Content-Security-Policy: Restricts the loading of resources.

  • Permissions-Policy: Controls access to browser features.


๐Ÿšซ Restrict Dangerous HTTP Methods

<security>
  <requestFiltering>
    <verbs allowUnlisted="true">
      <add verb="OPTIONS" allowed="false" />
      <add verb="PUT" allowed="false" />
      <add verb="TRACE" allowed="false" />
      <add verb="DELETE" allowed="false" />
      <add verb="TRACK" allowed="false" />
      <add verb="PATCH" allowed="false" />
    </verbs>
  </requestFiltering>
</security>

Disabling unsupported HTTP verbs reduces the surface area for attacks.


๐Ÿ—‚๏ธ File Upload Limit

<requestLimits maxAllowedContentLength="52428800" />

This restricts large file uploads that may otherwise exhaust server resources.


๐Ÿ—œ๏ธ Compression Settings

<httpCompression>
  <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
  <dynamicTypes>
    <add mimeType="application/json" enabled="true" />
    <add mimeType="application/javascript" enabled="true" />
    <add mimeType="text/*" enabled="true" />
    <!-- More MIME types -->
    <add mimeType="*/*" enabled="false" />
  </dynamicTypes>
  <staticTypes>
    <add mimeType="application/json" enabled="true" />
    <add mimeType="application/javascript" enabled="true" />
    <add mimeType="text/*" enabled="true" />
    <!-- More MIME types -->
    <add mimeType="*/*" enabled="false" />
  </staticTypes>
</httpCompression>

Gzip compression improves page load times and decreases bandwidth usage.


โœ… Final Notes

By implementing these server and application-level configurations, you significantly improve your ASP.NET web application's security posture and performance. These practices are not just for compliance or checklists. They are your first defense line in real-world deployment.