Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups�� Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

About

News Press Releases News Coverage Press KitCareersContact DNN

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

​Security headers & DNN

Return to previous page

Edit
  • 9/26/2018
  • 5038 Views
Tags:
Report

Comments

5038 Views

​Security headers & DNN

Last updated 6 years ago

Comments

Common

(Enter the content of this article below)

Advanced

 

Introduction

In our battle against hackers we have a lot of work these days. And as with most topics: perfection is a lot of simple things done right.

We have instructed our customers to use complex passwords, we got a firewall, login using SSL and added a content security policy (CSP). Another topic are security headers.

Like CSP the security headers are aiming to restrict HTTP response headers from running into easily preventable vulnerabilities. The project can be found here:
https://www.owasp.org/index.php/OWASP_Secure_Heade...

A pretty good place for more info on security headers can be found on https://www.keycdn.com/blog/http-security-headers/

Ok, I want this. Now what do I put where?

In the web.config in the customHeaders section.
In the example below, you might want to remove the content security policy as this is a seperate topic.

* As always: backup your web.config for easy roll back as 1 mistake can break image galeries, other script, iframed content or even take down your website! *

Example of code

<httpProtocol>

<customHeaders>

<add name="X-XSS-Protection" value="1; mode=block" />

<add name="X-Content-Type-Options" value="nosniff" />

<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />

<add name="Content-Security-Policy" value="default-src * ;" />

<remove name="X-Powered-By" />

<remove name="X-AspNet-Version" />

<remove name="X-AspNet-Version" />

<remove name="X-AspNetMvc-Version" />

<remove name="Vary">

</remove>

<add name="Vary" value="Accept-Encoding">

</add>

<add name="Referrer-Policy" value="no-referrer-when-downgrade" />

</customHeaders>

</httpProtocol>


How do I know if I did it right?

You can check your website on https://securityheaders.com

NOTE: Check ‘hide results’ to prevent others from gaining information about your vulnerable website.

Are there any reasons not to use this?

First of all, if you include a csp, you might want to check https://caniuse.com/#feat=contentsecuritypolicy. Only modern browsers can cope.

Furthermore, it has been my experience that the <add name="X-Content-Type-Options" value="nosniff" /> tag caused issues in IE 11 on a product list where the images where handled by an imagehandler (resizer). The tag prevented IE11 to understand that the images were actually images which made the browser want to interpret the images as HTML.

So, it is up to you whether you want to include this tag or – if necessary - wait a bit until IE has a usage that is below a threshold that you find acceptable.

What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out