Add more secure http headers when scaffolding new project

Vote:
 
 
    


	
		
			
			
        		

			
			 
			

			
			
			
		
	


I have found these to work with episerver, and will provide most of the recomended security headers. You can test them on observer.mozilla.org

It would also be nice if Episerver made a comment in webconfig on how to enable secure cookies. It would break episerver on localhost to have them on by default, but should encurage developers to remember to turn them on, or provide transforms that can be used

#196085
Aug 17, 2018 16:11
Vote:
 

These are the settings we have applied in our projects too (the 6 first entries).

To remove the asp.net version header we've used the httpRuntime elements attribue: enableVersionHeader="false"

And to remove asp.net mvc version we've used the: MvcHandler.DisableMvcResponseHeader = true; (in global.asax.cs Application_Start)

Something to add to the Alloy MVC demo and the new Episerver project template.

#196088
Aug 17, 2018 21:01
This thread is locked and should be used for reference only.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.