Following are the points that needs to take care while publishing site on the production server.
- Add the following line to your Web.Config file, under the <system.web> element:
Encrypt Viewstate in Web.Config file by using the below code.
- <system.web>
- <machineKey validation="AES" /> FOR 2.0 and more OR
- <machineKey validation="3DES" /> FOR 1.1
- </system.web>
- In order to disable debugging in ASP.NET, edit your web.config file to contain the following:
- <compilation debug="false"/>
- <httpCookies httpOnlyCookies="true" requireSSL="true" domain=""/> FOR 2.0 and more
- Set start up page as default page
- disable directory browsing
Guidelines
- Database connection string in Web.Config file must be in encrypted format.
- Re-direct user’s to custom error page by adding the below lines in Web.Config file.
- <customErrors mode="RemoteOnly" defaultRedirect="Error.aspx">
- <error statusCode="403" redirect="404b.htm"/>
- <error statusCode="404" redirect="404b.htm"/>
- <error statusCode="500" redirect="404b.htm"/>
- </customErrors>
- Encrypt Viewstate in Web.Config file by using the below code.
- <system.web>
- <machineKey validation="3DES" />
- <pages enableViewStateMac="true"/>
- </system.web>
- Session fixation - Session ID before and after login should not remain the same. For this, abondon the session on log off. Also, abondon the session on first load of login page.
Don't declare Session variables like this :
- Session["mySessionVar"] = <value>
Use the below code in the login page:
- public const string ASP_NET_SESSION_ID = "ASP.NET_SessionId";
- if (!Page.IsPostBack)
- {
- if (Request.IsAuthenticated)
- {
-
- if (Page.User.Identity.IsAuthenticated)
- {
- if (Page.Request.Cookies[GlobalConstants.ASP_NET_SESSION_ID] != null)
- Response.Cookies[GlobalConstants.ASP_NET_SESSION_ID].Expires = DateTime.Now.AddYears(-30);
- FormsAuthentication.SignOut();
- }
- }
- Session.Abandon();
- }
- Validate the user on each page. Some applications let you access a page after login if you just type the page in URL. The system should authenticate users on each page. Some applications implement master page, base class. Put the check on those two pages then. In case you don't have either of master page or base page, you have to write function to authenticate users and call it from every page.
- SQL Injection
All inline queries needs to replace with stored procedure.
Restrict input parameters of login ID. Allow only alphanumeric. No special character
- Disable directory browsing for your website.
- If any sensitive information is passed through query string, make sure it is in encrypted format.
- Header Response Version Disclosure: for 2.0 and more
If you are facing problem to fix BBGB finding " Header Response Version Disclosure" then please use below tag in web.config file under "<system.web> tag.
- <httpruntime enableversionheader="false"></httpruntime>
- Missing Secure Attribute in Encrypted Session (SSL) Cookie: apply always ssl
- Missing httponly attribute is session cookie
<httpCookies httpOnlyCookies="true" requireSSL="true" domain=""/> FOR 2.0 and more
For ASP.NET 1.1 application put code in Global.asax
Protected Sub Application_EndRequest(ByVal sender As Object, ByVal e As EventArgs)
For Each cookie As String In Response.Cookies:
- Const HTTPONLY As String = ";HttpOnly"
- Dim path As String = Response.Cookies(cookie).Path
- If path.EndsWith(HTTPONLY) = False Then
- Response.Cookies(cookie).Path += HTTPONLY
- End If
- Next
- End Sub
- Application test script detected -- Ex : remove all test pages from code.