What does a secure web.config look like?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman


A secure web.config file should conform to the following guidelines:

  • connectionStrings configuration section is encrypted using aspnet_regiis.exe utility.
  • All the configuration sections which store user credentials or sensitive data are encrypted using aspnet_regiis.exe utility.
  • Trace is disabled for the application and customErrors mode is set to “On”, so that no detailed error message are returned to the user.
  • When using Forms authentication, the authentication ticket is secured via the configuration setting. Correct membership provider is configured and set as defaultProvider.
  • When using role manager’s role caching feature the authorization cookie is secured via configuration settings.
  • Impersonation is turned off if not required.
  • Only authenticated users have access to the secured part of the web site.
  • Session state is turned off if not used.
  • In machineKey element decryptionKey and validationKey are separate for each application where as same keys are used in Web Farm scenario on each machine for the application.
  • Application exception details are not propagated to the client.
  • A trust level that matches your application's requirements precisely is specified and it does not grant more permissions than is required by your application.

More information

For more information on securing your application's web.config, see, “How To: Perform a Security Deployment Review for ASP.NET 2.0” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000028.asp.

Personal tools