Ensure web application security by correct web.config configuration

In his article Bryan Sullivan explains about the most common mistakes in web.config file that leads to web site vulnerabilities.

It's easy to overlook these mistakes in web.config. Moving the application from one stage to another without modifying web.config is one of the common mistakes.

The following is the list of vulnerabilities; It can be used as a checklist for ensuring that the deployed product is protected from the most common web.config security flaws. For more details about each entry in the list, please read the complete article linked to at the bottom of the page.

1. Custom Errors Disabled.
2. Leaving Tracing Enabled in Web-Based Applications.
3. Debugging Enabled.
4. Cookieless Session State Enabled.
5. Cookieless Authentication Enabled.
6. Failure to Require SSL for Authentication Cookies.
7. Sliding Expiration Used.
8. Non-Unique Authentication Cookie Used.
9. Hardcoded Credentials Used.

 

Read the complete article at:

Application Security Vulnerabilities in Web.config Files Part One and Part Two by Bryan Sullivan.