- BLOB providers
- Client resources
- Configuring .NET SignalR
- Configuring episerver
- Configuring episerver.basicAuthentication
- Configuring episerver.dataStore
- Configuring episerver.framework
- Configuring episerver.packaging
- Configuring episerver.search
- Configuring episerver.shell
- Configuring Image Service
- Configuring link validation
- Configuring Live Monitor
- Configuring module.config
- Configuring staticFile
- Reading application settings programmatically
- Selecting content
- Refactoring content type classes
- Persisting IContent instances
- Block types and templates
- Content Type attributes
- Converting page types for pages
- Creating a page programmatically
- Creating page templates and block controls
- Edit hints in MVC
- IContentRepository/DataFactory interface
- Localizing the user interface
- Page types and templates
- Assets and media
- Dynamic content
- Dynamic data store
- EPiServer CMO
- Event management
- Scheduled jobs
- About EPiServer Full-Text Search Client
- About EPiServer Full-Text Search Service
- Adding search providers
- Configuring EPiServer Full-Text Search Client
- Configuring EPiServer Full-Text Search Service
- Installing and deploying Search Service
- Search integration
- Searching and filtering
- Searching for pages based on page type
- AspNet Identity OWIN authentication
- Authentication and authorization
- Configuring Active Directory membership provider
- Configuring Web Services authentication
- Federated security
- Forms authentication
- Managing cookies on the website
- Mixed mode OWIN authentication
- OWIN authentication
- Permissions to functions
- Protecting users from session hijacking
- Recommendations for ASP.NET security settings
- Securing edit and admin user interfaces
- Virtual roles
- User interface
- Context-sensitive components
- Creating a component
- Describing content in the UI
- Developing gadgets
- Extending edit view
- Extending the navigation
- Introduction to Dojo
- Message service pool
- Publish and subscribe messaging system
- Service locator
- Shell profile
- Store architecture
- Technical overview
- Using jQuery
- Command Pattern
- Object editing
- Virtual path providers
This content is retired. See latest version here.
Last updated: Sep 29 2014
Recommendations for ASP.NET security settings
This document contains general recommendations for ASP.NET-related security settings, to be used as a checklist after installing an EPiServer website. Below you will find recommendations for some common ASP.NET-related security areas, and how to manage these for EPiServer websites.
Weak password account lockout policy and password change functionality
EPiServer uses standard ASP.NET mechanisms for password handling, which allows things like password complexity policies to be configured. It is also possible to configure EPiServer to use Windows or Active Directory for authentication, meaning that password changes and lock-out policy is delegated.
It is always recommended to have strong password complexity requirements on user accounts, and to ensure that any changes to user accounts always involves the user’s current password. There is also a possibility to use a different Membership provider for EPiServer, that does not allow for password change. Either subclassing the SqlServerMembershipProvider or using the ActiveDirectoryMembership provider will both work equally well.
Refer to the Microsoft references below for more information on how to manage membership accounts.
Cross-site request forgery (CSRF) and reflected cross-site scripting
In EPiServer, issues with CSRF can be addressed by using an HTTPS/SSL layer since this will block anyone else from being able to replay a request, as they do not have access to its contents.
Ineffective session termination
EPiServer uses standard ASP.NET mechanisms for authentication which does not support active logout, and it is basically sessionless. It might be possible to extend ASP.NET, but that is not a feature provided by EPiServer. The recommendation here is to use HTTPS for secure communication, since this will not allow for third parties to sniff the session token.
It is possible to extend ASP.NET's FormsAuthentication ticket with active logout, but that is not a feature provided by EPiServer out-of-the-box.
Through the use of IIS and ASP.NET, some informational HTTP headers will be added to a response, which might expose security-releated information like ASP.NET and IIS versions.This can be modified using standard ASP.NET techniques and is not specific to EPiServer. It should be dealt with as part of standard application hardening. The X-AspNetMvc-Version header may be removed with a simple set of the MvcHandler.DisableMvcResponseHeader property.
Refer to the blog post Removing HTTP Headers for ASP.NET sites for information on how to avoid disclosing server software information through HTTP headers.
Disabling of autocomplete
The recommendation is to build a custom login page with auto-complete disabled, replacing the default login page. Forms containing user names and passwords or other sensitive information, should have the autocomplete option disabled on both the form and the sensitive fields.
Vulnerability to clickjacking attacks
You can avoid clickjacking attacks on websites by ensuring that content is not embedded into other sites using frames. The X-Frame-Options HTTP response header should be used to defend against clickjacking attacks. This header indicates that the current page should not be loaded in a frame, and through code you can blank the contents of the page if it is framed by another domain.
Refer to the recommendations described in the article The X-Frame-Options response header.