September 15,
2022By
moorecreative SoFri Meetings
DNN, DNN User Group, DNNCMS, DotNetNuke, Performance, scan, Security, security headers, SoFri, Southern Fried DNN, web.config
Β
Β
In this Southern Fried DNN User Group Meeting:
Speaker: Ryan Moore, The Moore Creative Company
Topic: DNN Security Headers - From an "F" to an "A" Grade!
SoFri's Ryan Moore leads a working session to explain and demonstrate several security header settings which can be made to the DNN web.config, which helps with the overall site security and presentation footprint. He'll explain items, plus shares code and testing tools involved.
--
Community Topics and Updates
- The SoFri discussion began with a review of community updates and health tips. David Poindexter, a co-host, was recovering from COVID, emphasizing the ongoing importance of safety measures.
- The discussion revolved around DNN community updates, primarily related to the 2SXC content and the DNNCommunity.org website.
- They mentioned a new version of the Resource Manager for DNN that was in development and would offer improvements over the existing one.
--
Summary
In this presentation at the June 16th Southern Fried DNN User Group meeting, the Ryan Moore discussed various community updates and security measures for DNN (DotNetNuke) websites. He mentioned the importance of securing DNN instances, provided information on security scanning tools, and highlighted the OWASP Secure Headers project.
Ryan's introduced the presentation by sharing,
"I'd like to share a portion of a presentation I've been working on, which revolves around recent developments in managing DNN instances. Over time, I've honed a set of techniques and tips, integrating them into my routine when making updates to DNN sites. These updates encompass performance enhancements, settings adjustments, and security lockdown measures.
In particular, I focus on locking down various aspects of DNN instances, primarily through modifications to the web.config file. Occasionally, I delve into adjustments within the files folder structure or within IIS itself. I've compiled these methods into what I consider my go-to web.config updatesβactions I find myself repeating whenever I'm working on a DNN instance, whether it's an upgrade from version 8 to 9x or a transition from 9.1.1 to 9.10.
When I undertake the task of refining the web.config, I generally refer to a boilerplate version that contains extensive notes, explanations, and guidance. My intention is to conclude this session by sharing that file and its contents in a blog post. This way, anyone who attended the session or watches it later will have access to these resources. You can review the file and identify which elements are relevant to your specific sites, enabling you to implement these same updates and actions as needed."
Notes & Details:
- Ryan Moore and the Moore Creative Company work with Security Headers updates in DNN sites to make improvements to overall security and DNN instance performance.
- The presentation focused on web.config updates for improving security, specifically for DNN instances. They referred to the OWASP Secure Headers project as a resource for securing DNN websites.
- Two security scanning tools were discussed: securityheaders.com and observatory.mozilla.org. These tools help evaluate security headers and configurations on websites.
- The speaker explained that making certain changes to the web.config file could enhance security by minimizing the exposure of sensitive information.
- The presentation also touched on a permissions policy for certain external tools and interfaces, emphasizing the importance of staying updated on security practices.
- Ryan recommended these scanning tools for assessing and improving website security. They highlighted the ease of sharing scan results with clients and the ability to track changes over time.
Β
-
π Securityheaders.com: The goal is to achieve an "A" rating.
-
π§ Mozilla Observatory: Stricter and more detailed ratings.
-
β
Typical result: Able to attain at least a "B+" rating.
-
π οΈ Multiple tools available for security assessment.
-
π Recommendations to experiment with different tools.
-
π― Focus on two excellent tools initially.
-
π Comparison of scans and observed issues.
-
πͺ Identifying and addressing unnecessary cookie exposure.
-
βοΈ Modifying web config for improved security.
-
π‘ Tips and comments for security headers in web config.
-
π Set strict transport security with max age and subdomains to enhance security.
-
π« Disable caching to control how content is cached by proxies and browsers.
-
βοΈ Implement cache control for better browser caching management.
-
π Use content security policy but keep it loose due to dynamic content concerns in DNN.
-
π Implement rewrite rules to modify response headers, including removing E-Tags and changing cookies.
-
π Enhance security headers like X-Frame-Options, X-Content-Type-Options, and X-XSS-Protection.
-
β
Consider permissions policies for various device types and expectations for CT reports.
-
π‘οΈ Add Expect-CT header to monitor and report security issues effectively.
-
π Configure server headers to limit information exposure and improve security scan results.Here's a concise summary of the provided text:
-
π» Security headers in the web config are being improved.
-
π Cloudflare SSL certificates are used, but additional server-level SSL is needed.
-
πͺ HTTP cookies require SSL, especially for e-commerce sites.
-
π Anonymous identification settings are adjusted for security.
-
π Enable version headers are set to false in HTTP runtime.
-
πͺ Additional cookies are named and prefixed for security.
-
π± Mobile view site cookies are renamed for security.
-
π§ Some cleanup includes deleting unnecessary folders like "documentation" and "licenses."
Β
Β
Watch the Southern Fried DNN User Group June 2022 Meeting:
Β
About the SouthernFried DNN User Group
Even though our DNN user group is nestled in the Carolinas, we are really YOUR DNN User Group regardless of your Southern heritage or lack thereof. Everyone is invited to attend in person or to join us online! We always try to broadcast the meeting so everyone can participate. Register now for the online meeting details for those of you wanting to join online
Β