Security checklist - deploying a website

This is a security deployment checklist – things to do before you deploy your site to a live environment.





Debug mode is turned off to prevent leaks of sensitive information.

Web.config security settings

Tracing is disabled to prevent leaks of sensitive information.

Web.config security settings

The error messages of websites and application-server default error messages do not display detailed information to users.

Designing secure error messages

Sensitive sections of the web.config file are encrypted (mainly the connection string).

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI

Access to sensitive directories is forbidden to protect the servers against enumeration attacks.


Cookieless authentication is disabled to prevent session hijacking.

Session protection

The HttpOnlyCookies flag is set so that the cookies are accessible only from the server-side code (this behavior is set by default in Kentico).

Web.config security settings





Directory listing is disabled in the website and web servers.

Export/import package directory browsing

All HTTP methods except GET and POST are disabled if they are not in use.

Securing the Staging and REST web services

Scripts and 3rd party libraries are up-to-date. If external libraries (e.g. for database access, XML parsing) are used, always use the current versions.

Sensitive links which should not be indexed by search engines are listed within robots.txt files.

Managing robots.txt

The execution of scripts is disabled on folders where it is undesirable.

Edit Feature Permissions for the Handler Mappings Feature (IIS 7)





All test user accounts are deleted or disabled.

All unnecessary modules and applications are disabled.

Disabling unnecessary services and keeping the system up-to-date

All unnecessary pages are deleted.

File types that can be uploaded to the system are restricted. You can specify which extensions are allowed for uploaded files in general, including forms in Settings -> System -> Files in the Security category.

UI personalization for specified roles is set correctly to prevent users from accessing unnecessary parts of the interface. You can configure UI personalization in the UI personalization application.

UI Personalization

Permissions for specified actions in Kentico modules are set correctly for all roles. You can configure permissions in the Permissions application.

Configuring permissions securely

Users are allowed to use only strong and complex passwords. You can enable the Use password policy setting in Settings -> Security & Membership -> Passwords.

Password strength policy and its enforcement

Passwords are stored in a strong and secure format. The recommended option is PBKDF2. You can set the password format in Settings -> Security & Membership -> Passwords -> Password format.

Setting the user password format

The number of allowed invalid sign-in attempts is limited. You can set the limit in Settings -> Security & Membership -> Protection in the Invalid sign-in attempts category.

Invalid sign-in attempts

You have considered if the autocomplete function is needed for sign-in forms. Autocomplete can be enabled in Settings -> Security & Membership -> Protection in the General category.

Autocomplete deactivation

Forms are secured with CAPTCHA (spam protection control).

Reference - System form components (MVC sites)

Spam protection (CAPTCHA) (Portal Engine sites)

Encrypted Internet connection (HTTPS) is configured properly.

Configuring SSL