Print this article

IIS Web Application Security Checklist

All Applications

  • Add this to the web.config:
<add name="X-XSS-Protection" value="1" />
<add name="Strict-Transport-Security" value="max-age=16070400; includeSubDomains" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
  • SSL Certificate 

  • All data is transferred over https://

Applications with Users

  • Hashed (not encrypted) passwords. Hash with SHA-256. 

  • If cookies are used, they must be secured.

Applications with Users creating, updating, or deleting data

  • SQL Injection is prevented
    • Query parameterization
    • Stored Procedures
    • String parsing/replacing is not enough.
  • To Create, update, or delete data - use a <form> tag with a specified method [GET/POST].
    • [GET]
      • No GET forms update data
      • If the GET request returns an HTML form that does a POST, provide an antiforgery token. (or some alternative to protect against CSRF.
    • [POST]
      • Validate the antiforgery token before doing any data processing.
  • Actively guard against XSS
    • For example: All of bootstrap 3.x is vulnerable to XSS attack via data-target attribute it uses for some features. Luckily, you can use the jquery api to achieve the same affect. CTRL+F your project/solution for data-target. It should ONLY be found in Scripts\bootstrap.js and Scripts\bootstrap.min.js.




Last Modified: Nov 28, 2018 4:19 pm US/Eastern
Created: Nov 28, 2018 3:51 pm US/Eastern by admin