Security Scan
To help secure every installation, newer versions dbFront can run a security scan.
Prevent site takeover with a CAA DNS Record
Check the DNS entries for the application domain and verify that a CAA record is present. This check does not validate the CAA record itself.
Server Binding Check
Check if the site accepts invalid Host headers by submitting a request with an invalid but legal domain name. If the server rejects the request with a status code between 400 and 499 then it is considered successful and the server is secure.
To secure your server, you need to set up explicit named binding in IIS for each website listed in your Sites. It is possible to set up multiple bindings for the same IP and Port.
You likely need to include a binding for your primary domain (e.g. demo.dbFront.com), and for "localhost" to enable testing and configuration from the local server.
Check if SSL is required for Cookies
"configuration/system.web/httpCookies/@requireSSL", "true"
Prevent Header Injection Attacks
"configuration/system.web/httpRuntime/@enableHeaderChecking", "true" // https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.enableheaderchecking
Prevents clickjacking attacks by restricting how a page can be embedded in a frame
"configuration/system.webServer/httpProtocol/customHeaders/add[@name='X-Frame-Options']/@value", "SAMEORIGIN" * Clickjack attack – the hidden threat right in front of you * https://www.troyhunt.com/clickjack-attack-hidden-threat-right-in/
Prevent MIME-sniffing attacks
"configuration/system.webServer/httpProtocol/customHeaders/add[@name='X-Content-Type-Options']/@value", "nosniff"
Disallow cross-domain policy files
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies "configuration/system.webServer/httpProtocol/customHeaders/add[@name='X-Permitted-Cross-Domain-Policies']/@value", "none" 3.7M, "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
Limit how much referrer information should be included with redirect requests
"configuration/system.webServer/httpProtocol/customHeaders/add[@name='Referrer-Policy']/@value", "no-referrer"
Force HTTPS usage
"configuration/system.webServer/httpProtocol/customHeaders/add[@name='Strict-Transport-Security']/@value", "max-age=31536000;includeSubdomains"
Limit attack surface by requiring a Content-Security-Policy
"configuration/system.webServer/httpProtocol/customHeaders/add[@name='Content-Security-Policy']/@value", ""
Manage access to browser features to enhance security and privacy
"configuration/system.webServer/httpProtocol/customHeaders/add[@name='Permissions-Policy']/@value", "camera=(), microphone=(), geolocation=(), fullscreen=()"
Limit exposure by removing Asp.Net version details
"configuration/system.webServer/httpProtocol/customHeaders/remove[@name='X-AspNet-Version']"
Limit exposure by removing Powered-By header
"configuration/system.webServer/httpProtocol/customHeaders/remove[@name='X-Powered-By']"
Limit exposure by removing Server header
"configuration/system.webServer/security/requestFiltering/@removeServerHeader", "true"
Additional Reading
- Secure Root Web.config: https://dbfront.com/penetrationtesting#webconfig
- Security Headers: https://securityheaders.com
- Boosting Security with ASP.NET Core HTTP Headers
https://medium.com/@dev.mjdhanesh/boosting-security-with-asp-net-core-http-headers-3b26a8d3fdfd - Hardening your HTTP response headers
https://scotthelme.co.uk/hardening-your-http-response-headers - Website Hardening with HTTP Security Headers
https://arminreiter.com/2020/10/website-hardening-with-http-security-headers/ - Web Security/Guidelines/Web Security
https://wiki.mozilla.org/Security/Guidelines/Web_Security
Free Trial
dbFront offers a 30-day free trial so that you can download, install, and test it out in your environment. Please review the video tutorials and plan to start a free trial today. We believe you will be impressed.