- BLOB storage and providers
- Client resources
- Configuring episerver
- Configuring episerver.dataStore
- Configuring episerver.framework
- Configuring episerver.packaging
- Configuring episerver.search
- Configuring episerver.shell
- Configuring module.config
- Configuring staticFile
- Configuring episerver.basicAuthentication
- Configuring .NET SignalR
- Configuring Image Service
- Configuring link validation
- Reading application settings programmatically
- Page types and templates
- Block types and templates
- IContentRepository and DataFactory
- Persisting IContent instances
- ContentType attribute
- Grouping content types and properties
- EditHint in MVC
- Creating a page programmatically
- Selecting content
- Converting page types for pages
- Refactoring content type classes
- Multilingual content
- Assets and media
- Planning deployments
- Installing database schema
- Setting up multiple sites
- Content Delivery Network (CDN) Configuration
- Configuring your email server
- Automatic schema updates
- Storing UTC date and time in the database
- Database mode
- Deployment scenarios
- Dynamic content
- Dynamic data store
- Event management
- Scheduled jobs
- Search integration
- Searching and filtering
- Installing and deploying Search Service
- About Episerver full-text search client
- About Episerver full-text search service
- Configuring Episerver full-text search client
- Configuring Episerver full-text search service
- Searching for pages based on page type
- Adding search providers
- Authentication and authorization
- Virtual roles
- Configuring Active Directory membership provider
- Recommendations for ASP.NET security settings
- Securing edit and admin user interfaces
- Federated security
- Forms authentication
- OWIN authentication
- Configuring mixed-mode OWIN authentication
- Permissions to functions
- Protecting users from session hijacking
- Managing cookies on the website
- EPiServer AspNetIdentity
- Integrate Azure AD using OpenID Connect
- User interface
- Context-sensitive components
- Service locator
- Describing content in the UI
- Shell profile
- Store architecture
- Message service pool
- Publish and subscribe messaging system
- Introduction to Dojo
- Using jQuery
- Plugging in a gadget
- Creating a component
- Extending the navigation
- WebSocket support
- Dashboard gadgets
- Command Pattern
- Object editing
- User notifications
- Virtual path providers
This content is archived. See latest version here.
Last updated: Sep 21 2015
Recommendations for ASP.NET security settings
After you install and Episerver website, use the recommendations in this topic for some common ASP.NET-related security areas, and manage these for Episerver websites.
Weak password account lockout policy and password change functionality
Episerver uses standard ASP.NET mechanisms for password handling, which lets you configure things like password complexity policies. You also can configure Episerver to use Windows or Active Directory for authentication, meaning that password changes and lock-out policy is delegated.
You should have strong password complexity requirements on user accounts and ensure that any changes to user accounts involves the user’s current password. You also can use a different Membership provider for Episerver that does not allow for password change. Either subclassing the SqlServerMembershipProvider or using the ActiveDirectoryMembership provider work equally well.
See the following Microsoft references for information about managing membership accounts.
Cross-site request forgery (CSRF) and reflected cross-site scripting
In Episerver, you can address CSRF issues by using an HTTPS/SSL layer to block anyone else from replaying a request because they do not have access to its contents.
Ineffective session termination
Episerver uses standard ASP.NET mechanisms for authentication which does not support active logout, and it is basically sessionless. You might extend ASP.NET, but that is not a feature provided by Episerver. You should use HTTPS for secure communication, because this does not let third parties sniff the session token.
You can extend ASP.NET's FormsAuthentication ticket with active logout, but that is not a feature provided by Episerver.
Through the use of IIS and ASP.NET, some informational HTTP headers are added to a response, which might expose security-releated information like ASP.NET and IIS versions. You can modify this using standard ASP.NET techniques; it is not specific to Episerver and should be dealt with as part of standard application hardening. You can remove the X-AspNetMvc-Version header with a simple set of the MvcHandler.DisableMvcResponseHeader property.
See Removing HTTP Headers for ASP.NET sites for information about how to avoid disclosing server software information through HTTP headers.
Disabling of autocomplete
You should build a custom login page with auto-complete disabled, replacing the default login page. Forms containing user names and passwords, or other sensitive information, should have the autocomplete option disabled on both the form and the sensitive fields.
Vulnerability to clickjacking attacks
You can avoid clickjacking attacks on websites by ensuring that content is not embedded into other sites using frames. Use the X-Frame-Options HTTP response header to defend against clickjacking attacks. This header indicates that the current page should not be loaded in a frame, and through code you can blank the contents of the page if it is framed by another domain.
See the recommendations in The X-Frame-Options response header.