Last active
January 5, 2023 22:05
-
-
Save akunzai/58afd91be3b8d63d685531a4f6dc64b9 to your computer and use it in GitHub Desktop.
ASP.NET Web application security configurations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- The following configuration should also work with Azure App Service --> | |
| <configuration> | |
| <system.web> | |
| <!-- Disable X-AspNet-Version Header --> | |
| <httpRuntime enableVersionHeader="false" /> | |
| <!-- File upload size limit (KB), avoid DoS attack --> | |
| <httpRuntime maxRequestLength="4096" /> | |
| <!-- Disable debug & trace in Production --> | |
| <compilation debug="false" /> | |
| <trace enabled="false" /> | |
| <!-- Enhance Cookies security --> | |
| <httpCookies httpOnlyCookies="true" requireSSL="true" /> | |
| <!-- Avoid information leaking on errors --> | |
| <customErrors mode="RemoteOnly" defaultRedirect="error.html"> | |
| <error statusCode="404" redirect="404.html" /> | |
| <error statusCode="500" redirect="error.html" /> | |
| </customErrors> | |
| <!-- Ensure Form Login via HTTPS --> | |
| <authentication> | |
| <forms requireSSL="true" /> | |
| </authentication> | |
| </system.web> | |
| <system.webServer> | |
| <httpProtocol> | |
| <customHeaders> | |
| <add | |
| name="Content-Security-Policy" | |
| value="default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'" | |
| /> | |
| <add name="X-Content-Type-Options" value="nosniff" /> | |
| <add name="X-Frame-Options" value="DENY" /> | |
| <add name="X-Permitted-Cross-Domain-Policies" value="none" /> | |
| <add name="X-XSS-Protection" value="1; mode=block" /> | |
| <remove name="X-Powered-By" /> | |
| <remove name="X-AspNet-Version" /> | |
| <remove name="X-AspNetMvc-Version" /> | |
| </customHeaders> | |
| </httpProtocol> | |
| <rewrite> | |
| <rules> | |
| <clear /> | |
| <rule name="Allow LetsEncrypt" stopProcessing="true"> | |
| <match url="^\.well-known/acme-challenge/.*$" /> | |
| <action type="None" /> | |
| </rule> | |
| <rule name="Redirect to https" stopProcessing="true"> | |
| <match url=".*" /> | |
| <conditions> | |
| <add input="{HTTPS}" pattern="off" /> | |
| <add input="{REQUEST_METHOD}" pattern="^get$|^head$" /> | |
| </conditions> | |
| <action | |
| type="Redirect" | |
| url="https://{HTTP_HOST}/{R:0}" | |
| redirectType="Permanent" | |
| /> | |
| </rule> | |
| <rule | |
| name="Block password parameter in GET Requests" | |
| stopProcessing="true" | |
| > | |
| <match url=".*" /> | |
| <conditions> | |
| <add input="{QUERY_STRING}" pattern="password=.*" /> | |
| </conditions> | |
| <action type="CustomResponse" statusCode="400" /> | |
| </rule> | |
| <rule name="Block directory traversal attempts" stopProcessing="true"> | |
| <match url=".*" /> | |
| <conditions logicalGrouping="MatchAny"> | |
| <add input="{UNENCODED_URL}" pattern="\.\." /> | |
| <add input="{UNENCODED_URL}" pattern="\./" /> | |
| </conditions> | |
| <action type="CustomResponse" statusCode="404" /> | |
| </rule> | |
| <rule name="Block special characters in URL" stopProcessing="true"> | |
| <match url=".*" /> | |
| <conditions logicalGrouping="MatchAny"> | |
| <add input="{HTTP_X_ORIGINAL_URL}" pattern="[\x00-\x1f\x7f]+" /> | |
| </conditions> | |
| <action type="CustomResponse" statusCode="400" /> | |
| </rule> | |
| <!-- https://msrc.microsoft.com/update-guide/vulnerability/ADV200008 --> | |
| <!-- https://docs.microsoft.com/en-us/answers/questions/943083/request-smuggling-filter-for-web-apps-in-app-servi.html --> | |
| <rule name="Block HTTP request smuggling" stopProcessing="true"> | |
| <match url=".*" /> | |
| <conditions> | |
| <add input="{HTTP_Transfer_Encoding}" pattern="chunked" /> | |
| <add input="{HTTP_Content_Length}" pattern=".+" /> | |
| </conditions> | |
| <action type="CustomResponse" statusCode="400" /> | |
| </rule> | |
| </rules> | |
| <outboundRules> | |
| <rule name="Add HSTS Header" enabled="true"> | |
| <match | |
| serverVariable="RESPONSE_Strict_Transport_Security" | |
| pattern=".*" | |
| /> | |
| <conditions> | |
| <add input="{HTTPS}" pattern="on" /> | |
| </conditions> | |
| <action type="Rewrite" value="max-age=31536000" /> | |
| </rule> | |
| <rule name="Rewrite Server header" enabled="false"> | |
| <match serverVariable="RESPONSE_Server" pattern=".+" /> | |
| <action type="Rewrite" value="Apache" /> | |
| </rule> | |
| </outboundRules> | |
| </rewrite> | |
| <security> | |
| <ipSecurity allowUnlisted="true" enableProxyMode="true"> | |
| <add allowed="false" ipAddress="1.1.1.1" /> | |
| <add allowed="false" ipAddress="2.2.2.2" subnetMask="255.255.255.0" /> | |
| </ipSecurity> | |
| <dynamicIpSecurity enableLoggingOnlyMode="true"> | |
| <denyByRequestRate | |
| enabled="true" | |
| maxRequests="100" | |
| requestIntervalInMilliseconds="3000" | |
| /> | |
| </dynamicIpSecurity> | |
| <requestFiltering removeServerHeader="true"> | |
| <filteringRules> | |
| <filteringRule name="Block Bad User Agent" scanUrl="false" scanQueryString="false"> | |
| <scanHeaders> | |
| <add requestHeader="User-Agent" /> | |
| </scanHeaders> | |
| <denyStrings> | |
| <add string="Hello" /> | |
| <add string="python-requests" /> | |
| <add string="Test Certificate Info" /> | |
| <add string="zgrab" /> | |
| </denyStrings> | |
| </filteringRule> | |
| </filteringRules> | |
| <fileExtensions allowUnlisted="true" applyToWebDAV="false"> | |
| <add fileExtension=".db" allowed="false" /> | |
| <add fileExtension=".xml" allowed="false" /> | |
| </fileExtensions> | |
| <hiddenSegments> | |
| <add segment=".git" /> | |
| <add segment=".svn" /> | |
| </hiddenSegments> | |
| <verbs> | |
| <add verb="TRACE" allowed="false" /> | |
| </verbs> | |
| </requestFiltering> | |
| </security> | |
| </system.webServer> | |
| </configuration> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment