To prevent cross-site request forgery (CSRF), you can set the same-site attribute for your ASP.NET session cookies.
To set the same-site attribute for all .NET versions from 4.8.
Open the configuration file web.config for the chosen web application.
Enter the following code snippet in the <configuration> section:
<system.web>
<httpCookies sameSite="Strict" />
</system.web>
Save the file.
To prevent cookies being read by unauthorized persons, you can set the so called "secure" attribute for your ASP.NET session cookies. This means that cookies are only transferred over secure SSL connections.
To set the "secure" attribute for ASP.NET session cookies
Open the configuration file web.config for the chosen web application.
In the <configuration> section, enter the following code snippet:
<system.web>
<httpCookies requireSSL="true"/>
</system.web>
Save the file.
The URL parser in Microsoft Internet Information Services (IIS) makes it possible for remote attackers to reveal file and folder names of web applications (that should not be accessible) by using IIS 8.3 short names.
Use of this weak point can lead to files with sensitive data, such as login data, configuration files, maintenance scripts and other data, being passed on.
To prevent this, you can stop short names in Windows IIS 8.3 from being created.
To disable creation of Windows IIS 8.3 short names
On the system the web application is installed on, create the following registry entry:
Path: HKLM\SYSTEM\CurrentControlSet\Control\FileSystem
Name: NtfsDisable8dot3NameCreation
Value: 1
Reinstall the web application.
Attackers can obtain a lot of information about your servers and network by looking at the response header your server returns.
To give attackers a little information as possible, you can remove the HTTP response header in Windows IIS.
To remove the HTTP response header in Windows IIS
Read the instructions in the following links:
© ALL RIGHTS RESERVED. Feedback Termini di utilizzo Privacy Cookie Preference Center