Products

Solutions

Learn More

Partners

Community

Blog

About

​Security headers & DNN

Return to previous page

  • 9/26/2018
  • 346 Views

Comments

346 Views

​Security headers & DNN

Last updated 1 week ago

Comments

Common

(Enter the content of this article below)

Advanced

 

Introduction

In our battle against hackers we have a lot of work these days. And as with most topics: perfection is a lot of simple things done right.

We have instructed our customers to use complex passwords, we got a firewall, login using SSL and added a content security policy (CSP). Another topic are security headers.

Like CSP the security headers are aiming to restrict HTTP response headers from running into easily preventable vulnerabilities. The project can be found here:
https://www.owasp.org/index.php/OWASP_Secure_Heade...

A pretty good place for more info on security headers can be found on https://www.keycdn.com/blog/http-security-headers/

Ok, I want this. Now what do I put where?

In the web.config in the customHeaders section.
In the example below, you might want to remove the content security policy as this is a seperate topic.

* As always: backup your web.config for easy roll back as 1 mistake can break image galeries, other script, iframed content or even take down your website! *

Example of code

<httpProtocol>

<customHeaders>

<add name="X-XSS-Protection" value="1; mode=block" />

<add name="X-Content-Type-Options" value="nosniff" />

<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />

<add name="Content-Security-Policy" value="default-src * ;" />

<remove name="X-Powered-By" />

<remove name="X-AspNet-Version" />

<remove name="X-AspNet-Version" />

<remove name="X-AspNetMvc-Version" />

<remove name="Vary">

</remove>

<add name="Vary" value="Accept-Encoding">

</add>

<add name="Referrer-Policy" value="no-referrer-when-downgrade" />

</customHeaders>

</httpProtocol>


How do I know if I did it right?

You can check your website on https://securityheaders.com

NOTE: Check ‘hide results’ to prevent others from gaining information about your vulnerable website.

Are there any reasons not to use this?

First of all, if you include a csp, you might want to check https://caniuse.com/#feat=contentsecuritypolicy. Only modern browsers can cope.

Furthermore, it has been my experience that the <add name="X-Content-Type-Options" value="nosniff" /> tag caused issues in IE 11 on a product list where the images where handled by an imagehandler (resizer). The tag prevented IE11 to understand that the images were actually images which made the browser want to interpret the images as HTML.

So, it is up to you whether you want to include this tag or – if necessary - wait a bit until IE has a usage that is below a threshold that you find acceptable.

Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  

What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out