When starting a new project, it is best to do the following security related items as soon as possible, otherwise it will be terribly difficult to add at a later stage.
This post is more of a note to myself so I can remember the name of this tool and how to configure it. The OWASP Zed Attack Proxy (ZAP) can crawl through a site and test a site for the current OWASP top 10.
In the previous post I showed how to enable HSTS so that all HTTP traffic to a website is secured. As cool as that is, the unfortunate reality is that it is not always possible to secure all HTTP traffic for a website especially when dealing with some legacy technology.
HTTP Strict Transport Security or HSTS is a header that instructs a browser not to downgrade a secure https connection to a unsecure HTTP connection for a specified domain.
There is a vulnerability in SSL3 called POODLE, it is documented in detail here by Google. SSL2 & 3 needs to be disabled in the client browser and on the web server. Below is a registry file that can be copied and run on a Microsoft IIS web servers to disable SSL 2 & 3… Read More »
It is important to realize that although a website might be running under HTTPS it does not guarantee that the session information is not accessible from normal HTTP requests. When a session cookie is generated it is important to make sure that the cookie can only be transmitted over a secure HTTP connection (HTTPS).
As in .net framework it is just as important to add security headers to your asp.net core project to harden the security posture of your web application.