Security checklist - deploying a website
This is a security deployment checklist – things to do before you deploy your site to a live environment.
Web.config:
|
Check |
Description |
Details |
|
Debug mode is turned off to prevent leaks of sensitive information. |
||
|
Tracing is disabled to prevent leaks of sensitive information. |
||
|
The error messages of websites and application-server default error messages do not display detailed information to users. |
||
|
Sensitive sections of the web.config file are encrypted (mainly the connection string). |
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI |
|
|
Access to sensitive directories is forbidden to protect the servers against enumeration attacks. |
||
|
Cookieless authentication is disabled to prevent session hijacking. |
||
|
The HttpOnlyCookies flag is set so that the cookies are accessible only from the server-side code (this behavior is set by default in Kentico). |
IIS:
|
Check |
Description |
Details |
|
Directory listing is disabled in the website and web servers. |
||
|
All HTTP methods except GET and POST are disabled if they are not in use. |
||
|
Scripts and 3rd party libraries are up-to-date. If external libraries (e.g. for database access, XML parsing) are used, always use the current versions. |
||
|
Sensitive links which should not be indexed by search engines are listed within robots.txt files. |
||
|
The execution of scripts is disabled on folders where it is undesirable. |
Edit Feature Permissions for the Handler Mappings Feature (IIS 7) |
Kentico:
|
Check |
Description |
Details |
|
All test user accounts are deleted or disabled. |
||
|
All unnecessary modules and applications are disabled. |
Disabling unnecessary services and keeping the system up-to-date |
|
|
All unnecessary pages are deleted. |
||
|
File types that can be uploaded to the system are restricted. You can specify which extensions are allowed for uploaded files in general, including forms in Settings -> System -> Files in the Security category. |
||
|
UI personalization for specified roles is set correctly to prevent users from accessing unnecessary parts of the interface. You can configure UI personalization in the UI personalization application. |
||
|
Permissions for specified actions in Kentico modules are set correctly for all roles. You can configure permissions in the Permissions application. |
||
|
Users are allowed to use only strong and complex passwords. You can enable the Use password policy setting in Settings -> Security & Membership -> Passwords. |
||
|
Passwords are stored in a strong and secure format. The recommended option is PBKDF2. You can set the password format in Settings -> Security & Membership -> Passwords -> Password format. |
||
|
The number of allowed invalid sign-in attempts is limited. You can set the limit in Settings -> Security & Membership -> Protection in the Invalid sign-in attempts category. |
||
|
You have considered if the autocomplete function is needed for sign-in forms. Autocomplete can be enabled in Settings -> Security & Membership -> Protection in the General category. |
||
|
Forms are secured with CAPTCHA (spam protection control). |
Reference - System form components (MVC sites) Spam protection (CAPTCHA) (Portal Engine sites) |
|
|
Encrypted Internet connection (HTTPS) is configured properly. |