Using HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections. is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. For example, a server could send a header "Strict-Transport-Security" to the user's browser such that in future, at a defined time (max-age), this domain should exclusively use encrypted connections. This setting can be optionally extended by the parameter includeSubDomains to all subdomains. This means that not only https://example.org is taken into account but also https://subdomains.example.org.
To enable HSTS
- Open the configuration file web.config for the chosen web application.
- Set the HTTP Response Header to Strict-Transport-Security and the value maxage = expireTime.
For more detailed information about setting the HTTP Response Header, see https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts.
Disabling insecure encryption mechanisms
It is recommended that you disable all unnecessary encryption methods and protocols on the grounds of security. If you disable redundant protocols and methods, older platforms and systems may not be able to establish connections with web applications anymore. Therefore, you must decide which protocols and methods are necessary, based on the platforms required.
NOTE: The software "IIS Crypto" from Nartac Software is recommended for disabling encryption methods and protocols.
For more information about disabling encryption, see https://www.nartac.com/Products/IISCrypto.
Detailed information about this topic
Setting the "HttpOnly" attribute for ASP.NET session cookies
To prevent cookies being manipulated by JavaScript and to reduce the risk of cross-site scripting attacks and cook theft, you can set the so called "HttpOnly" attribute for your ASP.NET session cookies. This means that cookies can no longer be used by client-side scripts.
To set the "HttpOnly" attribute for ASP.NET session cookies
-
Open the configuration file web.config for the chosen web application.
-
In the <configuration> section, enter the following code snippet:
<system.web>
<httpCookies httpOnlyCookies="true"/>
</system.web>
-
Save the file.
Related topics
Setting the "same-site" attribute for ASP.NET session cookies
To prevent cross-site request forgery (CSRF), you can set the same-site attribute for your ASP.NET session cookies.
To set the same site attribute for all .NET versions from 4.7.2.
-
Open the configuration file web.config for the chosen web application.
-
Enter the following code snippet in the <configuration> section:
<system.web>
<httpCookies sameSite="Strict" />
</system.web>
-
Save the file.
Related topics