在线时间:8:00-16:00
迪恩网络APP
随时随地掌握行业动态
扫描二维码
关注迪恩网络微信公众号
HTTPS everywhere is a common theme of the modern infosys topics. Despite of that when I google for implementation of HTTPS in ASP.Net MVC applications, I find only a handful of horrible questions on StackOverflow, about how to implement HTTPS only on certain pages (i.e. login page). There have been numerous rants about security holes awaiting for you down that path. And Troy Hunt will whack you over your had for doing that! See that link above? Go and read it! Seriously. I’ll wait. Have you read it? Troy there explains why you want to have HTTPS Everywhere on your site, not just on a login page. Listen to this guy, he knows what he is talking about. Problem I faced when I wanted to implement complete “HTTPS Everywhere” in my MVC applications is lack of implementation instructions. I had a rough idea of what I needed to do, and now that I’ve done it a few times on different apps, my process is now ironed-out and I can share that with you here. 1. Redirect to HTTPSRedirecting to HTTPS schema is pretty simple in modern MVC. All you need to know about is Problem with this filter – once you add it to your app, you need to configure SSL on your development machine. If you work in team, all dev machines must be configured with SSL. If you allow people to work from home, their home machines must be configured to work with SSL. And configuring SSL on dev machines is a waste of time. Maybe there is a script that can do that automatically, but I could not find one quickly. Instead of configuring SSL on local IIS, I decided to be a smart-ass and work around it. Quick study of source codehighlighted that the class is not sealed and I can just inherit this class. So I inherited
If you are lazy enough to follow the link to the source code, I’ll tell you all this attribute does is check if incoming request schema used is One might argue that I’m creating a security hole by not redirecting to https on local requests. But if an intruder managed to do local requests on your server, you are toast anyway and SSl is not your priority at the moment. I looked up what
This is decompiled implementation of By the way, here are the unit tests for my implementation of the secure filter. Can’t go without unit testing on this one! And don’t forget to add this filter to list of your global filters
2. CookiesIf you think that redirecting to https is enough, you are very wrong. You must take care of your cookies. And set all of them by default to be You can secure your cookies in web.config pretty simple:
The only issue with that is development stage. Again, if you developing locally you won’t be able to login to your application without https running locally. Solution to that is So in your
and in your
This secures your cookies when you publish your application. Simples! 3. Secure authentication cookieApart from all your cookies to be secure, you need to specifically require authentication cookie to be
4. Strict Transport Security HeaderStrict Transport Security Header is http header that tells web-browsers only to use HTTPS when dealing with your web-application. This reduces the risks of SSL Strip attack. To add this header by default to your application you can add add this section to your
Again, the same issue as before, developers will have to have SSL configured on their local machines. Or you can do that via
5. Secure your WebApiWebApi is very cool and default template for MVC application now comes with WebApi activated. Redirecting all MVC requests to HTTPS does not redirect WebApi requests. So even if you secured your MVC pipeline, your WebApi requests are still available via HTTP. Unfortunately redirecting WebApi requests to HTTPS is not as simple as it is with MVC. There is no
This is a global handler that rejects all non https requests to WebApi. I did not do any redirection (not sure this term is applicable to WebApi) because there is no excuse for clients to use HTTP first. WARNING This approach couples WebApi to Don’t forget to add this handler as a global:
6. Set up automatic security scanner for your siteASafaWeb is a great tool that checks for a basic security issues on your application. The best feature is scheduled scan. I’ve set all my applications to be scanned on weekly basis and if something fails, it emails me. So far this helped me once, when error pages on one of the apps were messed up. If not for this automated scan, the issue could have stayed there forever. So go and sign-up! ConclusionThis is no way a complete guide on securing your application. But this will help you with one of the few steps you need to take to lock down your application. In this Gist you can copy my |
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论