Web.config
Error handling in web.config
In order to handle errors in .net application you need to take into account both application errors and IIS-server-error (if site running on IIS). You may add following code to the web.config to redirect the user in case of an error:
<system.web>
<customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" xdt:Transform="Replace">
<error statusCode="403" redirect="/Error/Forbidden" />
<error statusCode="404" redirect="/Error/NotFound" />
<error statusCode="500" redirect="/Error/InternalServerError" />
</customErrors>
</system.web>
<system.webServer>
<httpErrors errorMode="Custom" existingResponse="Replace" xdt:Transform="Replace">
<remove statusCode="403" />
<remove statusCode="404" />
<remove statusCode="500" />
<error statusCode="403" path="/Error/Forbidden" responseMode="ExecuteURL" />
<error statusCode="404" path="/Error/NotFound" responseMode="ExecuteURL" />
<error statusCode="500" path="/Error/InternalServerError" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>
Anti-sniff in web.config
Server respond with certain header information and give away bits about what applications the server is running and versions. You can change this in order to minimize the security risk of somone knowing this by adding following to the web.config file:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-XSS-Protection" value="1; mode=block" />
<!--<add name="Content-Security-Policy" value="'self' https://ajax.googleapis.com" />-->
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
Set valid characters for URL in Web.config
This changes which characters that is illegal to use in URL and thus causes an exception when used.
<httpRuntime relaxedUrlToFileSystemMapping="true" requestPathInvalidCharacters="<,>,*,%,:,\,?" targetFramework="4.5.1" />
Set Relaxed mapping for URL in Web.config
This allows "foo.com/bar%20/hej" to resolve like "foo.com/bar/hej".
<httpRuntime relaxedUrlToFileSystemMapping="true" targetFramework="4.5.1" />
Increase maximum URL and URL-Query length
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxQueryString="32768"/>
</requestFiltering>
</security>
</system.webServer>
<httpRuntime maxQueryStringLength="32768" maxUrlLength="65536"/>
Published: 2016-08-25