Web.config security settings

This page lists the most important security-related settings, which can be configured in the web.config file of projects. Please note that most of the settings apply only when working with the administration application.


You should set the following attributes related to cookies:

  • httpOnlyCookies – adds a httpOnly flag to cookies and makes it impossible to read cookies from the client. This serves as protection against XSS (for example prevents attackers from reading the session ID from cookies or the forms authentication ticket from the authentication cookie).
  • requireSSL – configures cookies to require an SSL connection, which prevents communication eavesdropping. Note: Only enable the requireSSL attribute if your website is configured to use an encrypted HTTPS connection (see Configuring SSL).

    <httpCookies httpOnlyCookies="true" requireSSL="true">

Error messages and disabling the debug

You should unify handling of all types of errors and exceptions in your application. For more information see Handling 404 errors.

Before deploying your website to the live environment, you should also disable debugging in the web.config file, as this information should not be revealed to users.

You can disable debugging in your application by including this code in the <system.web> section:

    <compilation debug="false"/>

Encrypting individual sections of the web.config file

You can encrypt chosen sections of the web.config file, which can prevent attackers from obtaining sensitive information (passwords, connection string, etc.) if they manage to get hold of the file. For more information, see Encrypting and Decrypting Configuration Sections.

Encoding is supported natively by ASP.NET, so the web application does not need to provide any additional support.


You can set the default authentication mode for the administration interface using the mode attribute, which has the following possible values: Windows, Forms, Passport, None

<authentication mode="Windows">

See authentication Element (ASP.NET Settings Schema) for reference.

Forms authentication type

When using Forms authentication for the Xperience administration interface, you can further configure the authentication using the forms element. It is recommended to use session cookies (not to use cookieless authentication) to prevent session hijacking. This can be done by changing the cookieless attribute of the form element. You can also set these attributes:

  • cookieless – defines whether cookies are used and how they are used.
  • timeout – specifies the number of minutes after which the authentication cookie expires.
  • slidingExpiration – specifies, whether the expiration time of an authentication cookie should be reset upon each request in a session. If set to true, then the authentication cookie is refreshed with every request, so the cookie does not expire so easily.

<authentication mode="Forms">
    <forms loginUrl="CMSPages/logon.aspx" name=".ASPXFORMSAUTH" cookieless="UseCookies" requireSSL="true" timeout="15" slidingExpiration="false" />

The most secure solution is to set a short timeout interval (e.g., 15 minutes) and disable sliding expiration. This way, if attackers manage to steal the session, they only have a limited time interval to abuse it. However, users would need to submit their credentials and authenticate every time the session expires (set by the timeout attribute).

See forms Element for authentication (ASP.NET Settings Schema) for reference.


When developing custom functionality for the administration interface, you should use cookies instead of query strings to pass the session ID. This prevents session stealing, as it is easier to steal the session ID from query strings than cookies. See Session protection.

To protect the sessions against attacks, you should set the following attributes in the sessionState element:

  • mode – specifies where to store session state values.
  • cookieless – specifies how cookies are used for a Web application.
  • timeout – specifies the number of minutes a session can be idle before it is abandoned.

<sessionState mode="InProc" cookieless="false" timeout="20" />

See sessionState Element (ASP.NET Settings Schema) for reference.

View state validation

In the Xperience administration application, the view state validation is encoded using the machine key and also a private user key.

You can enable view state validation for the whole administration in the web.config file:

    <pages enableViewStateMac="true" />

It is also possible to encrypt the view state to further increase its protection. See Encrypt ViewState in ASP.NET 2.0 for more information.