Categories

Account Information
16
Billing
9
DNN (DotNetNuke) (Legacy)
7
General Hosting
17
Managed WordPress (Legacy)
14
Plesk (ASP.NET Hosting Plans)
134
Plesk (Linux Hosting Plans) (Legacy)
10
Sales
9
SmarterMail
17

  Categories

  Tag Cloud

.net 8.0 .net 8.0 core .net core .net core 6 to .net 7 .net core 7 .net core 7.0 .net core 8 .net core 8.0 .net core 9 .net core 9.0 403 403 error 404 error 5.7 5.8 503 503 service unavailable access denied add modify dns addon Angular Calls app pool app slow application failed to load application pool asp.net core 8 asp.net versions asp.net viewstate authorization token awstats billing billing hours blazor cancel contract cancel hosting plan cancellation change dns change nameservers content filtering copy database cost increase costs create email address create sql database customer support deploy deploy blazor deploy core differences between .net 7.0 and net 8.0 dkim dnn dnn install dnn migration dnn upgrade dns dns servers dns settings domain domain alias domain name domain name transfer domain not resolvable domain not working domain parking domain pointer dot net core 7.0 dotnetcore dotnetcore 9.0 dotnetcore8 dotnetnuke email email addon email mass emailing bulk email email option email script email user error errors forbidden increase Let's Encrypt certificate installation fails mac failed machineKey mail from script mail option mail script mailkit MailKit.Net.Smtp managed wordpress hosting Memory migrate sql database mimekit nameservers new accounts order hosting plan password protection points price price increase prices private bytes memory limit publish publishing ram react react.js recycle recycle pool resolvable REST API restart pool restore backup sql database running slowly scp secure website setup email signalr slow smartermail smartermail addon smartermail option smartermail price smtp sql 2019 sql remote database manage sql server management studio ssl ssl certificate SSL Provider ssms stop start pool sub domain sub-domain subdomain subdomain dns support support credit points support credits support hours support points Swagger Calls system.net system.net.mail The certificate chain was issued by an authority that is not tru TrustServerCertificate=True unhandled exception update dns upgrade dnn upgrade dotnetnuke validation Verb Requests visual studio 2022 visual studio remote sql management waf web application firewall web deploy xml website slow webstats wordpress 5.9 wordpress hardening wordpress version

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket

  Control Panel Links

WIN 2022 Plesk Control Panel
WIN 2019 Plesk Control Panel
Linux Plesk Control Panel

Security Hardening Guide for ASP.NET Core Applications Print

  • 0

Comprehensive Security Hardening Guide

This guide covers essential security configurations to protect your ASP.NET Core applications on Windows hosting.

1. HTTPS and SSL/TLS Configuration

Force HTTPS Redirect

Always redirect HTTP to HTTPS. Add to web.config:

<system.webServer>
  <rewrite>
    <rules>
      <rule name="HTTPS Redirect" stopProcessing="true">
        <match url="(.*)" />
        <conditions>
          <add input="{HTTPS}" pattern="^OFF$" />
        </conditions>
        <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                redirectType="Permanent" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

ASP.NET Core HTTPS Enforcement

// In Program.cs
app.UseHttpsRedirection();
app.UseHsts();

2. Security Headers

Essential Security Headers in web.config

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <!-- Prevent clickjacking -->
      <add name="X-Frame-Options" value="SAMEORIGIN" />

      <!-- Prevent MIME type sniffing -->
      <add name="X-Content-Type-Options" value="nosniff" />

      <!-- Enable XSS filter -->
      <add name="X-XSS-Protection" value="1; mode=block" />

      <!-- Referrer policy -->
      <add name="Referrer-Policy" value="strict-origin-when-cross-origin" />

      <!-- Permissions policy -->
      <add name="Permissions-Policy" value="geolocation=(), microphone=(), camera=()" />

      <!-- Remove server identification -->
      <remove name="X-Powered-By" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

HSTS (HTTP Strict Transport Security)

Forces browsers to use HTTPS for future visits:

<!-- In web.config -->
<add name="Strict-Transport-Security"
     value="max-age=31536000; includeSubDomains; preload" />

Important: Only enable HSTS after confirming HTTPS works perfectly. The preload directive submits your site to browser preload lists.

ASP.NET Core Security Headers

// In Program.cs or Startup.cs
app.Use(async (context, next) =>
{
    context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
    context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
    context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
    context.Response.Headers.Add("Referrer-Policy", "strict-origin-when-cross-origin");
    await next();
});

3. Content Security Policy (CSP)

Basic CSP Header

<add name="Content-Security-Policy"
     value="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'self';" />

CSP Directives Explained

Directive Purpose Recommended Value
default-src Default policy for all resources 'self'
script-src JavaScript sources 'self' plus CDNs if needed
style-src CSS sources 'self' 'unsafe-inline'
img-src Image sources 'self' data: https:
frame-ancestors Who can embed your site 'self' or 'none'

4. Remove Sensitive Information

Hide Server Version

<system.webServer>
  <security>
    <requestFiltering removeServerHeader="true" />
  </security>
</system.webServer>

<system.web>
  <httpRuntime enableVersionHeader="false" />
</system.web>

Custom Error Pages

<system.webServer>
  <httpErrors errorMode="Custom" existingResponse="Replace">
    <remove statusCode="404" />
    <error statusCode="404" path="/error/404.html" responseMode="File" />
    <remove statusCode="500" />
    <error statusCode="500" path="/error/500.html" responseMode="File" />
  </httpErrors>
</system.webServer>

5. Request Filtering

Block Dangerous File Extensions

<system.webServer>
  <security>
    <requestFiltering>
      <fileExtensions>
        <add fileExtension=".config" allowed="false" />
        <add fileExtension=".cs" allowed="false" />
        <add fileExtension=".csproj" allowed="false" />
        <add fileExtension=".bak" allowed="false" />
        <add fileExtension=".sql" allowed="false" />
      </fileExtensions>
      <hiddenSegments>
        <add segment="bin" />
        <add segment="App_Data" />
      </hiddenSegments>
    </requestFiltering>
  </security>
</system.webServer>

Limit Request Size (Prevent DoS)

<requestFiltering>
  <requestLimits maxAllowedContentLength="30000000" /> <!-- 30MB -->
</requestFiltering>

6. Security Header Verification

Test your security headers using these tools:

  • securityheaders.com - Grades your security headers
  • ssllabs.com/ssltest - Tests SSL/TLS configuration
  • observatory.mozilla.org - Mozilla security scanner

Security Header Quick Reference

Header Purpose Priority
Strict-Transport-Security Force HTTPS Critical
X-Content-Type-Options Prevent MIME sniffing Critical
X-Frame-Options Prevent clickjacking Critical
Content-Security-Policy Control resource loading High
Referrer-Policy Control referrer info High
Permissions-Policy Control browser features Medium

Green = Must have, Yellow = Recommended

Was this answer helpful?

Related Articles

How do I Install an SSL Certificate on my Website? To install a Free Lets Encrypt SSL Certificate perform the following steps: Login to your... Knowledge Base Article: Disabling SSL Verification in SQL Server Connection String. You receive the following error when attempting to establish a secure SSL connection using a... Let's Encrypt certificate installation fails with 403 error for a domain in Plesk for Windows Server: The authorization token is not available. Symptoms When attempting to install or renew a Let's Encrypt certificate for a domain, the... How to Fix Mixed Content Warnings (HTTPS) Mixed content warnings occur when your HTTPS site loads HTTP resources.How to Identify:1. Open... SSL Certificate Not Working - Troubleshooting If your SSL certificate is not working:Check Certificate Status:1. Visit https://yourdomain.com2....
« Back

  Tag Cloud

.net 8.0 .net 8.0 core .net core .net core 6 to .net 7 .net core 7 .net core 7.0 .net core 8 .net core 8.0 .net core 9 .net core 9.0 403 403 error 404 error 5.7 5.8 503 503 service unavailable access denied add modify dns addon Angular Calls app pool app slow application failed to load application pool asp.net core 8 asp.net versions asp.net viewstate authorization token awstats billing billing hours blazor cancel contract cancel hosting plan cancellation change dns change nameservers content filtering copy database cost increase costs create email address create sql database customer support deploy deploy blazor deploy core differences between .net 7.0 and net 8.0 dkim dnn dnn install dnn migration dnn upgrade dns dns servers dns settings domain domain alias domain name domain name transfer domain not resolvable domain not working domain parking domain pointer dot net core 7.0 dotnetcore dotnetcore 9.0 dotnetcore8 dotnetnuke email email addon email mass emailing bulk email email option email script email user error errors forbidden increase Let's Encrypt certificate installation fails mac failed machineKey mail from script mail option mail script mailkit MailKit.Net.Smtp managed wordpress hosting Memory migrate sql database mimekit nameservers new accounts order hosting plan password protection points price price increase prices private bytes memory limit publish publishing ram react react.js recycle recycle pool resolvable REST API restart pool restore backup sql database running slowly scp secure website setup email signalr slow smartermail smartermail addon smartermail option smartermail price smtp sql 2019 sql remote database manage sql server management studio ssl ssl certificate SSL Provider ssms stop start pool sub domain sub-domain subdomain subdomain dns support support credit points support credits support hours support points Swagger Calls system.net system.net.mail The certificate chain was issued by an authority that is not tru TrustServerCertificate=True unhandled exception update dns upgrade dnn upgrade dotnetnuke validation Verb Requests visual studio 2022 visual studio remote sql management waf web application firewall web deploy xml website slow webstats wordpress 5.9 wordpress hardening wordpress version

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket

  Control Panel Links

WIN 2022 Plesk Control Panel
WIN 2019 Plesk Control Panel
Linux Plesk Control Panel