Miracl3xt / ASP.NET-Security

For ASP.net Security

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ASP.NET-Security

For Asp.NEt Security

Web.Config

Custom-Error

How to implement custom error page in asp.net website?

<system.web>
    <compilation debug="false" targetFramework="4.6.1"/>
    <httpCookies requireSSL="true" />
    <customErrors mode="On" defaultRedirect="~/error.aspx">
      <error statusCode="400" redirect="~/error.aspx" />
      <error statusCode="401" redirect="~/error.aspx" />
      <error statusCode="403" redirect="~/error.aspx" />
      <error statusCode="404" redirect="~/error.aspx" />
      <error statusCode="408" redirect="~/error.aspx" />
      <error statusCode="500" redirect="~/error.aspx" />
      <error statusCode="503" redirect="~/error.aspx" />
    </customErrors>
</system.web>

Alternative

<!--<httpErrors errorMode="Custom">
    <remove statusCode="401" subStatusCode="-1" />
    <remove statusCode="403" subStatusCode="-1" />
    <remove statusCode="404" subStatusCode="-1" />
    <remove statusCode="500" subStatusCode="-1" />
    --><!-- full url when responsemode is Redirect --><!--
    <error statusCode="401" path="/Error.aspx" responseMode="Redirect" />
    --><!--local relative path when responsemode is ExecuteURL--><!--
    <error statusCode="403" path="/Error.aspx" responseMode="Redirect" />
    <error statusCode="404" path="/Error.aspx" responseMode="Redirect" />
    <error statusCode="500" path="/Error.aspx" responseMode="ExecuteURL" />
        </httpErrors>-->
  <httpErrors existingResponse="PassThrough">
  <error statusCode="400" path="~/error.aspx" responseMode="File"/>
  <error statusCode="401" path="~/error.aspx" responseMode="File"/>
  <error statusCode="404" path="~/error.aspx" responseMode="File"/>
  <error statusCode="500" path="~/error.aspx" responseMode="File"/>
  </httpErrors>

Disable-Methods

How to disable dangerous HTTP Methods in ASP?

<system.webServer>
    <security>
      <requestFiltering>
        <verbs>
          <add verb="OPTIONS" allowed="false" />
          <add verb="TRACE" allowed="false" />
           <add verb="PUT" allowed="false" />
	   <add verb="DELETE" allowed="false" />
        </verbs>
      </requestFiltering>
    </security>
</system.webServer>

Custom-Headers

How to Implement Security Headers in asp?

<configuration>
   <system.webServer>
      <httpProtocol>
         <customHeaders>
            <add name="X-Frame-options" value="MyCustomValue" />
			<add name="X-XSS-Protection" value="1; mode=block" />
			<add name="X-Content-Type-Options" value="nosniff" />
			<add name="X-Frame-Options" value="sameorigin" />
			<add name="X-Custom-Name" value="MyCustomValue" />
         </customHeaders>
      </httpProtocol>
   </system.webServer>
</configuration>

Encrpt-Viewstate

How to Encrypt Viewstate in Asp?

<system.web> 
	<pages viewStateEncryptionMode="Always" /> 
</system.web>