Steps to Secure Planvisage SCM Application
1. Enable SSL
HTTP traffic sent between Web Servers and the clients is sent in clear text. This can present a security risk when sending passwords and other sensitive information across the network. This transmission of data can be encrypted by setting up SSL (Secure Sockets Layer).
Steps to follow
• Open IIS (Internet Information Services) manager.
• In the connection pane left, select the server name.
• Double click on the Server Certificates icon in IIS section.
• In the Actions pane, click on Create Domain Certificate.
In the Distinguished Name Properties window, enter the required information for the certificate. Click on Next. In the Online Certificate Authority window, click Select and choose the certification authority within your domain that will sign the certificate. Click on Finish
• For Testing purpose, we can use Self Signed Certificate
2. HTTP Response Header
Follow the below steps to configure IIS to add an X-Frame Options and Strict Transport Security header to all responses for a given site
• Open IIS (Internet Information Services) manager
• In the Connections Pane on the left, Expand Sites and click on Default Web Site
• In the Default Web Site Home Pane, under IIS click on HTTP Response Header icon
• In Actions Pane, Click on Add. In the Dialog box, in the Name field give X-Frame-Options and Value as SAMEORIGIN. Click OK
• In Actions Pane, Click on Add. In the Dialog box, in the Name field give Strict-Transport-Security and Value as max-age=31536000. Click OK
3.Secure Cookies
Make the below changes in Web.config file to enable Secure Cookies. Make sure RequireSSL value should be True
<system.web>
<httpCookies httpOnlyCookies=”true” requireSSL="true"/>
</system.web>
Or
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="30" requireSSL="true" cookieless="UseCookies"/>
</authentication>
4. Remove Server version disclosing header
Follow the steps to disable Server Version disclosing headers
• Open IIS (Internet Information Services) manager
• Select Web Site
• In the Default Web Site Home Pane, under IIS click on the HTTP Response Header icon
• Select X-Powered-By and click on Remove. Also remove Server
5. Add All these headers
| Key | Value |
|---|---|
| Cache-Control | public, max-age=3600 |
| Content-Security-Policy | default-src 'self' 'unsafe-inline' 'unsafe-eval' ; frame-src app.powerbi.com 'self'; connect-src 'self';style-src-attr 'self' 'unsafe-inline' 'unsafe-eval';img-src 'self' data:; |
| Permissions-Policy | Self |
| Referrer-Policy | strict-origin |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| X-Content-Type-Options | Nosniff |
| X-Frame-Options | DENY |
| X-XSS-Protection | 1; mode=block |
To add the header in IIS (Internet Information Services), you can use the HTTP Response Headers feature. Here are the steps:
- Open the IIS Manager.
- Select your website or Web Application from the "Connections" pane on the left.
- In the middle pane, double-click on the "HTTP Response Headers" feature.
- In the "Actions" pane on the right, click on "Add..." to add a new HTTP response header.
- In the "Name" field, enter Key (See the Table)
- In the "Value" field, enter the value (See the Table)
- Click "OK" to save the header.
- Optionally, you can verify the presence of the new header in the "HTTP Response Headers" section.
6. WebConfig Custom Errors
WebConfig key "customErrors" Value should be "On" as shown below Images.
