Disabling the HTTP request method TRACE
The TRACE request allows the path to the web server to be traced and to check that data is transferred there correctly. This allows a trace route to be determined at application level, meaning the path to the web server over various proxies. This method is particularly useful for debugging connections.
IMPORTANT: TRACE should not be enable in a productive environment because it can reduce performance.
To disable the HTTP request method TRACE using Internet Information Services
- You will find instructions by following this link:
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/tracing/
Using HTTP Strict Transport Security (HSTS)
HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections. is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. For example, a server could send a header "Strict-Transport-Security" to the user's browser such that in future, at a defined time (max-age), this domain should exclusively use encrypted connections. This setting can be optionally extended by the parameter includeSubDomains to all subdomains. This means that not only https://example.org is taken into account but also https://subdomains.example.org.
To enable HSTS
- Open the configuration file web.config for the chosen web application.
- Set the HTTP Response Header to Strict-Transport-Security and the value maxage = expireTime.
For more detailed information about setting the HTTP Response Header, see https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts.
Disabling insecure encryption mechanisms
It is recommended that you disable all unnecessary encryption methods and protocols on the grounds of security. If you disable redundant protocols and methods, older platforms and systems may not be able to establish connections with web applications anymore. Therefore, you must decide which protocols and methods are necessary, based on the platforms required.
NOTE: The software "IIS Crypto" from Nartac Software is recommended for disabling encryption methods and protocols.
For more information about disabling encryption, see https://www.nartac.com/Products/IISCrypto.
Detailed information about this topic
Setting the "HttpOnly" attribute for ASP.NET session cookies
To prevent cookies being manipulated by JavaScript and to reduce the risk of cross-site scripting attacks and cookie theft, you can set the so called "HttpOnly" attribute for your ASP.NET session cookies. This means that cookies can no longer be used by client-side scripts.
To set the "HttpOnly" attribute for ASP.NET session cookies
-
Open the configuration file web.config for the chosen web application.
-
In the <configuration> section, enter the following code snippet:
<system.web>
<httpCookies httpOnlyCookies="true"/>
</system.web>
-
Save the file.
Related topics