Harden app security controls from audit
This commit is contained in:
9
IIS.md
9
IIS.md
@@ -16,6 +16,8 @@
|
||||
- Configure trusted reverse proxies/networks for forwarded headers (do not trust all sources):
|
||||
- `ForwardedHeaders__KnownProxies__0=10.0.0.10`
|
||||
- `ForwardedHeaders__KnownNetworks__0=10.0.0.0/24`
|
||||
- Configure allowed hostnames explicitly (do not use wildcard in production):
|
||||
- `AllowedHosts=picknplay.example.com;www.picknplay.example.com`
|
||||
- Optional: enable stdout logging in `web.config` during troubleshooting only; disable afterward.
|
||||
- Data protection keys are persisted to `App_Data/keys`; ensure this folder is deployed and writable so auth cookies stay valid across app pool recycles.
|
||||
- Frontend base path: set `<meta name="app-base" content="/picknplay">` in `wwwroot/index.html` for production so API calls include the subpath (keep blank for local/root).
|
||||
@@ -23,3 +25,10 @@
|
||||
## Permissions
|
||||
- Grant modify rights to the app pool identity on `App_Data` (DB file + wal).
|
||||
- Ensure firewall/HTTPS bindings match `applicationUrl` configured in IIS.
|
||||
|
||||
## Security Checklist
|
||||
- Verify HTTPS binding/certificate is active before exposing the site publicly.
|
||||
- Confirm `Strict-Transport-Security` is present in production responses.
|
||||
- Confirm baseline headers are present (`Content-Security-Policy`, `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`).
|
||||
- Confirm `AllowedHosts` contains only your actual IIS hostnames.
|
||||
- Confirm trusted proxy lists are explicit and minimal.
|
||||
|
||||
Reference in New Issue
Block a user