your database front-end

Server Outage Notice: dbFront.com will be transfering to a new Server on Friday 25th @ 7pm MST

Security Scan

To help secure every installation, newer versions dbFront can run a security scan.

Security Scan

dbFront - Security Layers

You can find the results of the security scan in the System Monitor.

Prevent site takeover with a CAA DNS Record

Check the DNS entries for the application domain and verify that a CAA record is present.  This check does not validate the CAA record itself.

Server Binding Check

Check if the site accepts invalid Host headers by submitting a request with an invalid but legal domain name.  If the server rejects the request with a status code between 400 and 499 then it is considered successful and the server is secure.

To secure your server, you need to set up explicit named binding in IIS for each website listed in your Sites.  It is possible to set up multiple bindings for the same IP and Port.

You likely need to include a binding for your primary domain (e.g. demo.dbFront.com), and for "localhost" to enable testing and configuration from the local server.

Check if SSL is required for Cookies

"configuration/system.web/httpCookies/@requireSSL", "true"

Prevent Header Injection Attacks

"configuration/system.web/httpRuntime/@enableHeaderChecking", "true" // https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.enableheaderchecking

Prevents clickjacking attacks by restricting how a page can be embedded in a frame

"configuration/system.webServer/httpProtocol/customHeaders/add[@name='X-Frame-Options']/@value", "SAMEORIGIN" * Clickjack attack – the hidden threat right in front of you * https://www.troyhunt.com/clickjack-attack-hidden-threat-right-in/

Prevent MIME-sniffing attacks

"configuration/system.webServer/httpProtocol/customHeaders/add[@name='X-Content-Type-Options']/@value", "nosniff"

Disallow cross-domain policy files

// https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Permitted-Cross-Domain-Policies "configuration/system.webServer/httpProtocol/customHeaders/add[@name='X-Permitted-Cross-Domain-Policies']/@value", "none" 3.7M, "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"

Limit how much referrer information should be included with redirect requests

"configuration/system.webServer/httpProtocol/customHeaders/add[@name='Referrer-Policy']/@value", "no-referrer"

Force HTTPS usage

"configuration/system.webServer/httpProtocol/customHeaders/add[@name='Strict-Transport-Security']/@value", "max-age=31536000;includeSubdomains"

Limit attack surface by requiring a Content-Security-Policy

"configuration/system.webServer/httpProtocol/customHeaders/add[@name='Content-Security-Policy']/@value", ""

Manage access to browser features to enhance security and privacy

"configuration/system.webServer/httpProtocol/customHeaders/add[@name='Permissions-Policy']/@value", "camera=(), microphone=(), geolocation=(), fullscreen=()"

Limit exposure by removing Asp.Net version details

"configuration/system.webServer/httpProtocol/customHeaders/remove[@name='X-AspNet-Version']"

Limit exposure by removing Powered-By header

"configuration/system.webServer/httpProtocol/customHeaders/remove[@name='X-Powered-By']"

Limit exposure by removing Server header

"configuration/system.webServer/security/requestFiltering/@removeServerHeader", "true"

Additional Reading

  • Secure Root Web.config: https://dbfront.com/penetrationtesting#webconfig
  • Security Headers: https://securityheaders.com
  • Boosting Security with ASP.NET Core HTTP Headers
    https://medium.com/@dev.mjdhanesh/boosting-security-with-asp-net-core-http-headers-3b26a8d3fdfd
  • Hardening your HTTP response headers
    https://scotthelme.co.uk/hardening-your-http-response-headers
  • Website Hardening with HTTP Security Headers
    https://arminreiter.com/2020/10/website-hardening-with-http-security-headers/
  • Web Security/Guidelines/Web Security
    https://wiki.mozilla.org/Security/Guidelines/Web_Security

Free Trial

dbFront offers a 30-day free trial so that you can download, install, and test it out in your environment.  Please review the video tutorials and plan to start a free trial today.  We believe you will be impressed.

Content you want the user to see goes here.
close