IIS Web Application Security Checklist

All Applications

  • Add this to the web.config:
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-XSS-Protection" value="1" />
<add name="Strict-Transport-Security" value="max-age=16070400; includeSubDomains" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
            </customHeaders>
</httpProtocol>
</system.webServer>
</configuration

  • SSL Certificate 

  • All data is transferred over https://

Applications with Users

  • Hashed (not encrypted) passwords. Hash with SHA-256. 

  • If cookies are used, they must be secured.

Applications with Users creating, updating, or deleting data

  • SQL Injection is prevented
    • Query parameterization
    • Stored Procedures
    • String parsing/replacing is not enough.
  • To Create, update, or delete data - use a <form> tag with a specified method [GET/POST].
    • [GET]
      • No GET forms update data
      • If the GET request returns an HTML form that does a POST, provide an antiforgery token. (or some alternative to protect against CSRF.
    • [POST]
      • Validate the antiforgery token before doing any data processing.
  • Actively guard against XSS
    • For example: All of bootstrap 3.x is vulnerable to XSS attack via data-target attribute it uses for some features. Luckily, you can use the jquery api to achieve the same affect. CTRL+F your project/solution for data-target. It should ONLY be found in Scripts\bootstrap.js and Scripts\bootstrap.min.js.

 

 

 

Last modified: 2018/11/28 16:19:26.091711 US/Eastern by seth.r.kania.1
Created: 2018/11/28 15:51:40.741851 US/Eastern by seth.r.kania.1.

Categories

Search the Knowledge Base

Include:

Quick search results

    Admin Options: Edit this Document