Web. config Security Configuration

 

Web. config is in the root directory

 

1. authentication Node

 

<System. web>

<! -- Configure the Security Authentication mode used by ASP. NET to identify the passed-in user. -->

<Authentication mode = "Forms">

<Forms loginUrl = "~ /User/Login. aspx "name =". ASPXAUTH "defaultUrl =" User/Default. aspx "timeout =" 30 "path ="/"/>

</Authentication>

 

 

 

Configure the Website Based on Form (Forms) authentication. When a user who has not logged on to the website that requires authentication accesses the webpage, the webpage automatically jumps to the login webpage. The element loginUrl indicates the name of the login webpage, and name indicates the Cookie name.

 

2. authorization Node

 

<! -- Configure Web application authorization to control client access to URL resources. -->

<Authorization>

<Allow users = "*"/>

<Deny users = "? "/>

</Authorization>

 

Allow adds a rule to the authorization rule ing, which allows access to resources.

Deny adds an authorization rule that denies access to the resource to the authorization rule ing.

Users = "*" refers to any user users = "? "Indicates an authenticated user.

Note: At runtime, the authorization module cyclically accesses the allow and deny elements starting from the local configuration file until it finds the first access rule suitable for a specific user account. Then, the authorization module allows or denies access to URL resources based on the first access rule allow or deny. The default authorization rule is <allow users = "*"/>. Therefore, access is allowed by default unless otherwise configured.

If the web. config configuration in the root directory is too cumbersome, you can configure it in the corresponding directory, such as the web. config file in the User directory.

 

3. customErrors Node

 

<CustomErrors mode = "Off">

</CustomErrors>

<CustomErrors defaultRedirect = "url"

Mode = "On | Off | RemoteOnly">

<Error.../>

</CustomErrors>

 

Optional defaultRedirect attributes. Specifies the default URL to which the browser is redirected when an error occurs. If this attribute is not specified, a general error is displayed.

Required attribute. Whether to enable or disable custom errors or display custom errors only to remote clients.

This attribute can be one of the following values.

Value description

On specifies to enable custom errors. If defaultRedirect is not specified, you will see a general error.

Off specifies to disable custom errors. This allows the display of standard detailed errors.

RemoteOnly indicates that only custom errors are displayed to the remote client and ASP. NET errors are displayed to the local host. This is the default value.

The default value is RemoteOnly.

An optional error element. Specifies the custom error page for the HTTP status code. The error mark can appear multiple times. Each occurrence of a sub-tag defines a custom error condition.

For example:

<CustomErrors mode = "RemoteOnly" defaultRedirect = "~ /Prompt/GenericError.htm ">

<Error statusCode = "403" redirect = "~ /Prompt/NoAccess.htm "/>

<Error statusCode = "404" redirect = "~ /Prompt/FileNotFound.htm "/>

<Error statusCode = "500" redirect = "~ /Prompt/GenericError.htm "/>

</CustomErrors>

 

You can customize error pages here.

 

4. pages nodes

 

<! -- Globally define page-specific configuration settings, such as ASP. NET commands for pages and controls within the configuration file range. -->

<Pages validateRequest = "true" styleSheetTheme = "UserDefaultTheme">

ValidateRequest = "true"

 

 

 

This value determines whether ASP. NET checks input from the browser for dangerous values. If ASP. NET checks input from the browser for dangerous values, the value is true; otherwise, the value is false. The default value is true.

This function is used to prevent dangerous Code such as cross-site scripting. Make the global default value true. Only fractional pages, such as search pages

Set Search. aspx to ValidateRequest = "false ". To search for content similar to <div>, you can modify the search. aspx settings on the page to enhance system security.

 

Security. config configurations

 

The file is in the config directory.

1. Background page access configuration

NoCheckAdminLogOn

Page on which permissions are not checked in the background

 

<NoCheckAdminLogOn mode = "OnlyList">

<Page url = "~ /Admin/Login. aspx "/> <! --- Background login page -->

<Page url = "~ /Admin/Prompt/ShowError. aspx "/> <! --- Background error page -->

</NoCheckAdminLogOn>

 

 

2. Check the background page configuration of the external site Link

NoCheckUrlReferrer

The back-end does not check the list of source pages, that is, the list of files that the administrator can directly access. By default, direct access is not allowed in the background settings. This protects the webpage from unauthorized access and access from external links, effectively preventing cross-site request forgery.

 

<NoCheckUrlReferrer mode = "OnlyList">

</NoCheckUrlReferrer>

 

If the file is not in the list and accessed directly in the URL, the following error occurs:

 

Possible causes of errors:

Sorry, for system security, you are not allowed to directly enter an address to access the background management page of the system.

 

You can add custom content as needed.

 

3. prevent cross-site requests from forging additional security code page configuration

 

CheckSecurityCode

Check the security code when the page is submitted.

Prevents abnormal operations (malicious operations) from causing major system losses. It also protects important operations to prevent cross-site request forgery.

For example:

 

<Page url = "~ /Admin/Contents/ModelManage. aspx? Action = Delete "/>

<Page url = "~ /Admin/Contents/ModelManage. aspx? Action = Delete "/>

 

4. Page Operation permission code configuration

 

CheckPermissions

Page Operation permission code configuration, check whether the background Administrator has the relevant operation code permissions.

 

<Page url = "contents/addcontenttonode. aspx" operateCode = "CategoryInfoManage" checkType = "or"/>

 

OperateCode is the operation code used to determine whether the operation permission exists Based on the operation code.

CheckType permission judgment type, or and

Or the permission in the operation code is used for or operations. If there is any permission in the operation code, true is returned.

The default value is or. You do not need to configure a single permission code.

And operation code, that is, true is returned only if you have all permissions. Otherwise, false is returned.

 

AjaxLabel. config configuration instructions

Is the file access permission control configuration file for AJAX. aspx.

The front-end AJAX labels are too powerful, which may cause some risks to the AJAX labels. We have made an XML security file to configure those AJAX labels for direct reference. The AjaxLabel. config file is in the Config directory of the website root directory. If the tag does not have a record, access is prohibited!

For example:

 

<Label name = "content comment PK tag">

<Param name = "generalid" datatype = "Int"> </param>

</Label>

 

The label whose indicator signature is "content comment PK tag" can be called by ajas. aspx, And the param parameter can only be "generalid" and the type is Int, which effectively prevents malicious attacks.

If you need to customize the tag and call the ajax. aspx file, configure it in AjaxLabel. config.

 

App_offlineX.htm file Function

You can change dimensions to the app_offline.htm (case-insensitive) Static HTM page file, which is changed to the content you want to temporarily display and put it in the root directory of your application. In this way, any external requests will be immediately transferred to this page.

After website maintenance is complete, remember to change the file name app_offline.htm.

 

AllowString. xml file configuration

The file is located in the Common directory.

The role of a file is to allow users to submit some special js Code when XSS (cross-site attack prevention) settings are enabled for member posting information.

XSS is the HTML code that attackers use to filter user input by using website programs and can display the HTML code that affects other users, attackers can steal user information, use user identities to perform certain actions, or perform virus attacks on visitors.

 

For example:

 

<AllowString> <! [CDATA [onmousewheel = "return bbimg (this)"]> </AllowString>

<AllowString> <! [CDATA [onload = "resizepic (this)"]> </AllowString>

 

Function: Allow onmousewheel = "return bbimg (this)" And onload = "resizepic (this)" code to be retained. This is a reserved feature for the FCK image upload function.

If you want to avoid strict system filtering, add the reserved code here.