Bug in RemoveServerHeader attribute for IIS 10+
Bug in RemoveServerHeader attribute for IIS 10+ There is a bug in RemoveServerHeader for IIS 10+ as documented here. I documented the new attribute in IIS 10 here back in March 2018.
Category Archives: System hardening
Removing the X-Asp.Net version header
HTTP headers leak technical information to potential attackers about a system. To harden the security of an application you need to disclose as little information about a system as possible. In this post I will show to remove the Asp.net version from HTTP server header responses.
Setting up HTTPS in Asp.net core 1.1
Securing a website with HTTPS in Asp.net core is a bit different than with normal asp.net in IIS. In this post I will show to configure asp.net core so that it uses HTTPS.
Authorization in asp.net
When it comes to access control in asp.net we are all familiar with the access control elements found in the web.config. Below I will cover the best way to secure a website with the authorization element?
Custom Error Pages for IIS and Asp.net
Custom error pages are used to hide technical information from end users. Often default error pages can leak technical information to potential attackers. In this post Ill show how to implement custom error pages for IIS and Asp.net to assist with hardening the security of a system.
Hello TLS 1.3
TLS 1.3 is out and its time to take note and plan the retirement of TLS 1.2.
TLS is dead – long live TLS
Remove IIS HTTP server header
HTTP headers leak technical information to potential attackers about a system. To harden the security of an application you need to disclose as little information about a system as possible.
Considerations for GDPR in system design
GDPR or General Data Protection Regulation is a European law relating to the security and data privacy of an individuals information relating to his identity. The law will come in effect on 25 May 2018.
Complex password validation
Complex password validation Our team had to build a regular expression for a client to password validation and it had the following requirements. Below is the expression for anyone that needs anything like this. Hopefully I safe someone some time.
Top 10 things to do to secure a web application.
When starting a new project, it is best to do the following security related items as soon as possible, otherwise it will be terribly difficult to add at a later stage.
OWASP Vulnerability scanner
This post is more of a note to myself so I can remember the name of this tool and how to configure it. The OWASP Zed Attack Proxy (ZAP) can crawl through a site and test a site for the current OWASP top 10.
Secure HTTP without HSTS
In the previous post I showed how to enable HSTS so that all HTTP traffic to a website is secured. As cool as that is, the unfortunate reality is that it is not always possible to secure all HTTP traffic for a website especially when dealing with some legacy technology.
Secure HTTP with HSTS in IIS
HTTP Strict Transport Security or HSTS is a header that instructs a browser not to downgrade a secure https connection to a unsecure HTTP connection for a specified domain.
How to disable insecure cipher suits.
There is a vulnerability in SSL3 called POODLE, it is documented in detail here by Google. SSL2 & 3 needs to be disabled in the client browser and on the web server. Below is a registry file that can be copied and run on a Microsoft IIS web servers to disable SSL 2 & 3… Read More »