Güvenlik

Asp.Net Güvenlik Ayarları

Benim yaklaşık her sitede kullandığım ve kullanılmasını tavsiye ettiğim hem güvenlik hem de performans ayarlarıyla alakalı bir yazıdır.

  1. Sunucu Ayarları
    • SSL kullan
    • HSTS aç
    • Eski TLS sürümlerini kapat
    • Gereksiz portları kapat. FTP, RDP gibi sadece geliştiricilere açık olanlara IP filtresi ya da VPN erişimi ekle
    • 8.3 dosya desteğini kapat
    • Her zaman sunucuyu güncel tut
    • Her zaman her şeyi yedekle
  2. Site web.config Ayarları

<system.web>
  <customErrors mode="RemoteOnly">
    <error statusCode="404" redirect="~/Error/404" />
  </customErrors> <httpCookies httpOnlyCookies="true" requireSSL="true" />
  <authentication mode="Forms">
    <forms name="yourAuthCookie" requireSSL="true" loginUrl="login.aspx" protection="All" path="/" />
  </authentication>
  </system.web>
<system.webServer>
<staticContent>
  <remove fileExtension=".air" />
  <mimeMap fileExtension=".air" mimeType="application/vnd.adobe.air-application-installer-package+zip" />
  <remove fileExtension=".svg" />
<mimeMap fileExtension=".svg" mimeType="image/svg+xml" /> <remove fileExtension=".woff" />
<mimeMap fileExtension=".woff" mimeType="font/woff" /> <remove fileExtension=".woff2" />
<mimeMap fileExtension=".woff2" mimeType="font/woff2" /> <remove fileExtension=".less" /> <mimeMap fileExtension=".less" mimeType="text/css" /> <remove fileExtension=".mp4" /> <mimeMap fileExtension=".mp4" mimeType="video/mp4" /> <remove fileExtension=".json" /> <mimeMap fileExtension=".json" mimeType="application/json" /> </staticContent> <!-- Ensure the powered by header is not returned --> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> <remove name="Vary" /> <add name="Vary" value="Accept-Encoding" /> <!-- Protects against Clickjacking attacks. ref.: http://stackoverflow.com/a/22105445/1233379 --> <remove name="X-Frame-Options" /> <add name="X-Frame-Options" value="sameorigin" /> <!-- Protects against MIME-type confusion attack. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ --> <remove name="X-Content-Type-Options" /> <add name="X-Content-Type-Options" value="nosniff" /> <!-- Protects against Clickjacking attacks. ref.: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet --> <remove name="Strict-Transport-Security" /> <add name="Strict-Transport-Security" value="max-age=10886400; preload" /> <!-- Protects against XSS injections. ref.: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/ --> <remove name="X-XSS-Protection" /> <add name="X-XSS-Protection" value="1; mode=block" /> <!-- Prevents from leaking referrer data over insecure connections. ref.: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ --> <add name="Referrer-Policy" value="no-referrer" /> <add name="X-Permitted-Cross-Domain-Policies" value="same-origin" /> <!--https://blog.elmah.io/content-security-policy-in-asp-net-mvc/--> <add name="Content-Security-Policy" value="default-src 'self' cdnjs.cloudflare.com" /> <!--https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/--> <add name="Permissions-Policy" value="none" /> </customHeaders> </httpProtocol> <!-- Increase the default upload file size limit --> <security> <requestFiltering> <requestLimits maxAllowedContentLength="52428800" /> <!-- HTTP methods: OPTIONS, HEAD, GET, POST, PUT, DELETE, TRACE, CONNECT An ordinary web server supports the HEAD, GET and POST methods to retrieve static and dynamic content (enabling WebDAV on a web server will add support for the PUT and DELETE methods). TRACE and TRACK are methods which can be used for debugging purposes. It repeats the content of a request, and an attacker could steal credentials by using a client-side attack. These HTTP methods should not be supported on public web servers, as they increase the attack surface.--> <verbs allowUnlisted="true"> <add verb="OPTIONS" allowed="false" /> <add verb="PUT" allowed="false" /> <add verb="TRACE" allowed="false" /> <add verb="DELETE" allowed="false" /> <add verb="TRACK" allowed="false" /> <add verb="PATCH" allowed="false" /> </verbs> </requestFiltering> </security> <httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files"> <scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" /> <dynamicTypes> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/javascript" enabled="true" /> <add mimeType="application/x-javascript" enabled="true" /> <add mimeType="application/x-javascript; charset=utf-8" enabled="true" /> <add mimeType="application/json" enabled="true" /> <add mimeType="application/json; charset=utf-8" enabled="true" /> <add mimeType="application/atom+xml" enabled="true" /> <add mimeType="application/xaml+xml" enabled="true" /> <add mimeType="application/xop+xml" enabled="true" /> <add mimeType="application/soap+xml" enabled="true" /> <add mimeType="application/soap+xml; charset=utf-8" enabled="true" /> <add mimeType="application/soap+xml; charset=ISO-8895-1" enabled="true" /> <add mimeType="*/*" enabled="false" /> </dynamicTypes> <staticTypes> <add mimeType="text/*" enabled="true" /> <add mimeType="message/*" enabled="true" /> <add mimeType="application/javascript" enabled="true" /> <add mimeType="application/x-javascript" enabled="true" /> <add mimeType="application/x-javascript; charset=utf-8" enabled="true" /> <add mimeType="application/json" enabled="true" /> <add mimeType="application/json; charset=utf-8" enabled="true" /> <add mimeType="application/atom+xml" enabled="true" /> <add mimeType="application/xaml+xml" enabled="true" /> <add mimeType="application/xop+xml" enabled="true" /> <add mimeType="application/soap+xml" enabled="true" /> <add mimeType="application/soap+xml; charset=utf-8" enabled="true" /> <add mimeType="application/soap+xml; charset=ISO-8895-1" enabled="true" /> <add mimeType="*/*" enabled="false" /> </staticTypes> </httpCompression> </system.webServer>