IIS Redirect HTTP to HTTPS

Just a quick note – if you want to use an IIS rule to redirect users from HTTP to HTTPS, the following rule seems to work pretty well. You’ll need the IIS URL Rewrite module installed.

<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" />
</rule>

 

Advertisements
IIS Redirect HTTP to HTTPS

Lock down your HTTP Verbs

Something that has come up in some of our testing recently is that some of our websites have HTTP verbs allowed that probably should be blocked – and with IIS they can be.

To recap, we’re use to the idea of GET or POST requests, but there are a lot more… Continue reading “Lock down your HTTP Verbs”

Lock down your HTTP Verbs

Lockdown Sitecore Administration

The Sitecore security hardening guide 6.0 (or version 7.5 here) describes:

You should prevent anonymous users from accessing the following folders:

  • /App_Config
  • /sitecore/admin
  • /sitecore/debug
  • /sitecore/shell/WebService

And then goes on to describe removing anonymous access to those areas in IIS.

Authentication Settings

The version 7.5 document goes on to say… Continue reading “Lockdown Sitecore Administration”

Lockdown Sitecore Administration

Configuring a Content-Security-Policy

I’ve talked about how to how to remove HTTP Headers that you don’t need from IIS – but there are some that you probably will want. This particular post is about the Content Security Policy (CSP).

I’m not going to describe what one is. @Scott_Helme has already described what a Content Security Policy is far better than I can. Rather, I’m going to describe how to figure out what your policy should be… Continue reading “Configuring a Content-Security-Policy”

Configuring a Content-Security-Policy

Removing Chatty IIS Headers

IIS is, by default, a bit too damn chatty, which isn’t what you want if you’re trying to harden your server:

Capture

You can check this with a site like SecurityHeaders.io, which will review all your HTTP Headers for you. It’s very good, I recommend it.

Why would I need to tell the world what ASP version, webserver, etc. that I’m using? Isn’t this just helping potential attackers? Well, yes. How do you remove these headers, though? Continue reading “Removing Chatty IIS Headers”

Removing Chatty IIS Headers

You’re checking your HTTP Headers, right?

In the rush to build a website, it’s pretty easy to overlook something as mundane as HTTP headers – until someone runs an automated pen-test against the site you’ve built and starts asking about why you’re not using them – or why you are. Then you have to run around quickly trying to fix this – and some of these tasks aren’t so easy.

All of this can be fixed with a little testing beforehand, and there is a nifty site called SecurityHeaders.io

Capture

This will tell you:

What headers you’re using and probably shouldn’t. IIS seems determined to include lots of HTTP Headers that you don’t need. This just leaks information to someone who is potentially malicious, and wastes a little bandwidth.

What headers you should use. There are a number of slightly obscure security related headers, and some new (and good) ones, such as a Content Security Policy, or HTTP Public Key Pinning.

Also, for what it’s worth, SecurityHeaders.io is by a chap called Scott Helme – https://scotthelme.co.uk/ (@Scott_Helme). He’s written about a lot of this stuff quite extensively, and also has written report-uri.io, which as we’ll see is fantastically useful.

Other ways of seeing your HTTP Headers…

  • Fiddler (Of course)
  • Browser Developer tools – such as Chrome’s – can show the response headers
  • Chrome’s HTTP Headers plugin – there are other plugins (and plugins for other browsers), but I find it very good for just doing what it says.

 

 

You’re checking your HTTP Headers, right?

How to set the Locale of a Network Service (or other System) Account

I had a problem recently with a Sitecore system I was working on. We had 4 machines involved – a development server, a content management server (CM), and two content delivery (CD) servers. The problem was, for the ‘News Search’ page we would get different number of items on the CD servers than the CM or development systems.

2 - Search Filter1 - Search Results Header

CM and Dev would return 8 items for a search of news from 1st April to 30th April. The CDs would return 54 items… Continue reading “How to set the Locale of a Network Service (or other System) Account”

How to set the Locale of a Network Service (or other System) Account