- BLOB providers
- Client resources
- Configuring episerver
- Configuring episerver.dataStore
- Configuring episerver.framework
- Configuring episerver.packaging
- Configuring episerver.search
- Configuring episerver.shell
- Configuring module.config
- Configuring staticFile
- Configuring episerver.basicAuthentication
- Configuring .NET SignalR
- Configuring Image Service
- Configuring link validation
- Reading application settings programmatically
- IContentRepository/DataFactory interface
- Persisting IContent instances
- Selecting content
- ContentType attribute
- Grouping content types and properties
- Page types and templates
- Creating page templates and block controls
- Block types and templates
- EditHint in MVC
- Creating a page programmatically
- Converting page types for pages
- Refactoring content type classes
- Multilingual content
- Assets and media
- About the database
- Automatic schema updates
- Content Delivery Network (CDN) Configuration
- Setting up multiple sites
- Planning deployments
- Deployment Center
- Deployment scenarios
- Dynamic content
- Dynamic data store
- Event management
- Scheduled jobs
- Search integration
- Searching and filtering
- Installing and deploying Search Service
- About EPiServer Full-Text Search Client
- About EPiServer Full-Text Search Service
- Configuring EPiServer Full-Text Search Client
- Configuring EPiServer Full-Text Search Service
- Searching for pages based on page type
- Adding search providers
- Authentication and authorization
- Virtual roles
- Configuring Active Directory membership provider
- Recommendations for ASP.NET security settings
- Securing edit and admin user interfaces
- AspNet Identity OWIN authentication
- Federated security
- Forms authentication
- OWIN authentication
- Mixed mode OWIN authentication
- Permissions to functions
- Protecting users from session hijacking
- Managing cookies on the website
- User interface
- Context-sensitive components
- Service locator
- Describing content in the UI
- Shell profile
- Store architecture
- Message service pool
- Publish and subscribe messaging system
- Introduction to Dojo
- Using jQuery
- Extending edit view
- Creating a component
- Extending the navigation
- Developing gadgets
- Command Pattern
- Object editing
- Virtual path providers
This content is archived. See latest version here
Last updated: Feb 23 2015
Recommendations for ASP.NET security settings
This document contains general recommendations for ASP.NET-related security settings, to be used as a checklist after installing an EPiServer website. Below you will find recommendations for some common ASP.NET-related security areas, and how to manage these for EPiServer websites.
Weak password account lockout policy and password change functionality
EPiServer uses standard ASP.NET mechanisms for password handling, which allows things like password complexity policies to be configured. It is also possible to configure EPiServer to use Windows or Active Directory for authentication, meaning that password changes and lock-out policy is delegated.
It is always recommended to have strong password complexity requirements on user accounts, and to ensure that any changes to user accounts always involves the user’s current password. There is also a possibility to use a different Membership provider for EPiServer, that does not allow for password change. Either subclassing the SqlServerMembershipProvider or using the ActiveDirectoryMembership provider will both work equally well.
Refer to the Microsoft references below for more information on how to manage membership accounts.
Cross-site request forgery (CSRF) and reflected cross-site scripting
In EPiServer, issues with CSRF can be addressed by using an HTTPS/SSL layer since this will block anyone else from being able to replay a request, as they do not have access to its contents.
Ineffective session termination
EPiServer uses standard ASP.NET mechanisms for authentication which does not support active logout, and it is basically sessionless. It might be possible to extend ASP.NET, but that is not a feature provided by EPiServer. The recommendation here is to use HTTPS for secure communication, since this will not allow for third parties to sniff the session token.
It is possible to extend ASP.NET's FormsAuthentication ticket with active logout, but that is not a feature provided by EPiServer out-of-the-box.
Through the use of IIS and ASP.NET, some informational HTTP headers will be added to a response, which might expose security-releated information like ASP.NET and IIS versions.This can be modified using standard ASP.NET techniques and is not specific to EPiServer. It should be dealt with as part of standard application hardening. The X-AspNetMvc-Version header may be removed with a simple set of the MvcHandler.DisableMvcResponseHeader property.
Refer to the blog post Removing HTTP Headers for ASP.NET sites for information on how to avoid disclosing server software information through HTTP headers.
Disabling of autocomplete
The recommendation is to build a custom login page with auto-complete disabled, replacing the default login page. Forms containing user names and passwords or other sensitive information, should have the autocomplete option disabled on both the form and the sensitive fields.
Vulnerability to clickjacking attacks
You can avoid clickjacking attacks on websites by ensuring that content is not embedded into other sites using frames. The X-Frame-Options HTTP response header should be used to defend against clickjacking attacks. This header indicates that the current page should not be loaded in a frame, and through code you can blank the contents of the page if it is framed by another domain.
Refer to the recommendations described in the article The X-Frame-Options response header.