Steps to Secure Planvisage SCM Application
1. Enable SSL
HTTP traffic sent between Web Servers and the clients is sent in clear text. This can present a security risk when sending passwords and other sensitive information across the network. This transmission of data can be encrypted by setting up SSL (Secure Sockets Layer).
Steps to follow
• Open IIS (Internet Information Services) manager.
• In the connection pane left, select the server name.
• Double click on the Server Certificates icon in IIS section.
• In the Actions pane, click on Create Domain Certificate.
In the Distinguished Name Properties window, enter the required information for the certificate. Click on Next. In the Online Certificate Authority window, click Select and choose the certification authority within your domain that will sign the certificate. Click on Finish
• For Testing purpose, we can use Self Signed Certificate
2. X-Frame Options Header
Follow the below steps to configure IIS to add an X-Frame Options header to all responses for a given site
• Open IIS (Internet Information Services) manager
• In the Connections Pane on the left, Expand Sites and click on Default Web Site
• In the Default Web Site Home Pane, under IIS click on HTTP Response Header icon
• In Actions Pane, Click on Add. In the Dialog box, in the Name field give X-Frame-Options and Value as SAMEORIGIN. Click OK
3.Secure Cookies
Make the below changes in Web.config file to enable Secure Cookies. Make sure RequireSSL value should be True
<system.web>
<httpCookies httpOnlyCookies=”true” requireSSL="true"/>
</system.web>
Or
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="30" requireSSL="true" cookieless="UseCookies"/>
</authentication>
4. Remove Server version disclosing header
Follow the steps to disable Server Version disclosing headers
• Open IIS (Internet Information Services) manager
• Select Web Site
• In the Default Web Site Home Pane, under IIS click on the HTTP Response Header icon
• Select X-Powered-By and click on Remove. Also remove Server
