在公司遇到資安問題, 在這統整解決之參考方案, 未來持續新增
Fortify Report
1. Math.Random() remove or replace to (window.crypto.getRandomValues(new Uint32Array(1))[0]
2. X-Frame-Options Header Not Set 通過IIS設置,設置HTTP回應標頭,增加{X-Frame-Options,SAMEORIGIN}
3. X-AspNet-Version 設置Webconfig<httpRuntime enableVersionHeader="false" />
4. X-AspNet-Version MVC程式(Global.asax)增加程式碼MvcHandler.DisableMvcResponseHeader = true;
5. Viewstate without MAC Signature (Unsure) 通過IIS設置,啟用‘電腦金鑰’不可勾選任一個,增加.apsx enableViewStateMAC="true" viewStateEncryptionMode="Always" ViewStateEncryptionMode="Always"
6. X-Content-Type-Options Header Missing 通過IIS設置,設置HTTP回應標頭,增加(X-Content-Type-Options,nosniff)
7. X-Powered-By 通過IIS設置,設置HTTP回應標頭,移除(X-Powered-By)
8. XSS Protection Not Enabled 通過IIS設置,設置HTTP回應標頭,增加(X-XSS-Protection,1; mode=block)
9. Cookie Without SameSite Attribute 安裝Framework4.7.2;web.config的httpCookies標籤增加 sameSite="Lax" httpOnlyCookies="true"; sessionState 標籤增加 cookieSameSite="Lax" ;authentication forms 增加cookieSameSite="Lax";
10. CSP Scanner: Wildcard Directive 通過IIS設置,設置HTTP回應標頭,增加(Content-Security-Policy,default-src 'self' 'unsafe-inline';style-src 'self' http://* 'unsafe-inline';connect-src 'self' http://* 'unsafe-inline' data: http:)
11. Cross-Domain Misconfiguration 通過IIS設置,設置HTTP回應標頭,增加(Access-Control-Allow-Origin: *)
12. Information Disclosure 移除註釋
13. Timestamp Disclosure - Unix 手動確認時間戳記數據不敏感,並且數據不能匯總以揭示可利用的模式。
14. Absence of Anti-CSRF Tokens MVC程式(BeginForm內)增加程式碼@Html.AntiForgeryToken()
15. Absence of Anti-CSRF Tokens ASP.NET NuGut安裝System.Web.Helpers.dll/System.Web.WebPages.dll ,aspx 增加 <%= System.Web.Helpers.AntiForgery.GetHtml() %>,Page_Load(object sender, EventArgs e)程式內if(IsPostBack)AntiForgery.Validate();
16. Multiple X-Frame-Options Header Entries ASP.NET 在 Page_Load 增加AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
17. SecureFlag 設置Webconfig <httpCookies sameSite="Lax" httpOnlyCookies="true" requireSSL="true" />
18. Viewstate without MAC Signature (Unsure) framework machine.config 增加 <pages enableViewStateMac="true" viewStateEncryptionMode="Always"/> framework/32/64 bit 2.0/4.0
19. CSP: Wildcard Directive frame-ancestors, form-action frame-ancestors 'none'; form-action 'none'
留言列表