Blog

Next Meeting: December 21 3:30 PM - (Eastern)

The Southern Fried DNN (TBD) is coming up soon! Make sure you join us for all the fun / info on December 21 at 3:30 PM!

Southern Fried DNN (TBD)

This week's Southern Fried DNN is everyone's chance to catch up on DNN, tooling, conferences, community buzz and more! Please be sure to join us in person or online!

Are you attending? Let us know at the Southern Fried MeetUp Page!

Southern Fried MeetUp Info & Meeting Link

Southern Fried DNN Blog

Southern Fried DNN User Group (Formerly Queen City DotNetNuke User Group QCDUG) blog covers DNN topics addressed by the usergroup at meetings, conventions and for the DNN community for North Carolina, South Carolina and the DNN community at large!
 

June 2022 SoFri: DNN Security Headers - From an "F" to an "A" Grade!

Β 

Ryan Moore (DNN Security Headers - From an F to an A Grade!)

Β 

In this Southern Fried DNN User Group Meeting:

Speaker: Ryan Moore, The Moore Creative Company
Topic: DNN Security Headers - From an "F" to an "A" Grade!

SoFri's Ryan Moore leads a working session to explain and demonstrate several security header settings which can be made to the DNN web.config, which helps with the overall site security and presentation footprint. He'll explain items, plus shares code and testing tools involved.

--

Community Topics and Updates

  • The SoFri discussion began with a review of community updates and health tips. David Poindexter, a co-host, was recovering from COVID, emphasizing the ongoing importance of safety measures.
  • The discussion revolved around DNN community updates, primarily related to the 2SXC content and the DNNCommunity.org website.
  • They mentioned a new version of the Resource Manager for DNN that was in development and would offer improvements over the existing one.

--


Summary

In this presentation at the June 16th Southern Fried DNN User Group meeting, the Ryan Moore discussed various community updates and security measures for DNN (DotNetNuke) websites. He mentioned the importance of securing DNN instances, provided information on security scanning tools, and highlighted the OWASP Secure Headers project.

Ryan's introduced the presentation by sharing,

"I'd like to share a portion of a presentation I've been working on, which revolves around recent developments in managing DNN instances. Over time, I've honed a set of techniques and tips, integrating them into my routine when making updates to DNN sites. These updates encompass performance enhancements, settings adjustments, and security lockdown measures.

In particular, I focus on locking down various aspects of DNN instances, primarily through modifications to the web.config file. Occasionally, I delve into adjustments within the files folder structure or within IIS itself. I've compiled these methods into what I consider my go-to web.config updatesβ€”actions I find myself repeating whenever I'm working on a DNN instance, whether it's an upgrade from version 8 to 9x or a transition from 9.1.1 to 9.10.

When I undertake the task of refining the web.config, I generally refer to a boilerplate version that contains extensive notes, explanations, and guidance. My intention is to conclude this session by sharing that file and its contents in a blog post. This way, anyone who attended the session or watches it later will have access to these resources. You can review the file and identify which elements are relevant to your specific sites, enabling you to implement these same updates and actions as needed."

Notes & Details:

  • Ryan Moore and the Moore Creative Company work with Security Headers updates in DNN sites to make improvements to overall security and DNN instance performance.
  • The presentation focused on web.config updates for improving security, specifically for DNN instances. They referred to the OWASP Secure Headers project as a resource for securing DNN websites.
  • Two security scanning tools were discussed: securityheaders.com and observatory.mozilla.org. These tools help evaluate security headers and configurations on websites.
  • The speaker explained that making certain changes to the web.config file could enhance security by minimizing the exposure of sensitive information.
  • The presentation also touched on a permissions policy for certain external tools and interfaces, emphasizing the importance of staying updated on security practices.
  • Ryan recommended these scanning tools for assessing and improving website security. They highlighted the ease of sharing scan results with clients and the ability to track changes over time.
    Β 
  • πŸ”’ Securityheaders.com: The goal is to achieve an "A" rating.

  • 🧐 Mozilla Observatory: Stricter and more detailed ratings.

  • βœ… Typical result: Able to attain at least a "B+" rating.

  • πŸ› οΈ Multiple tools available for security assessment.

  • πŸ‘‰ Recommendations to experiment with different tools.

  • 🎯 Focus on two excellent tools initially.

  • πŸ“Š Comparison of scans and observed issues.

  • πŸͺ Identifying and addressing unnecessary cookie exposure.

  • βš™οΈ Modifying web config for improved security.

  • πŸ’‘ Tips and comments for security headers in web config.

  • πŸ”’ Set strict transport security with max age and subdomains to enhance security.

  • 🚫 Disable caching to control how content is cached by proxies and browsers.

  • βš™οΈ Implement cache control for better browser caching management.

  • πŸ”’ Use content security policy but keep it loose due to dynamic content concerns in DNN.

  • πŸ”„ Implement rewrite rules to modify response headers, including removing E-Tags and changing cookies.

  • πŸš€ Enhance security headers like X-Frame-Options, X-Content-Type-Options, and X-XSS-Protection.

  • βœ… Consider permissions policies for various device types and expectations for CT reports.

  • πŸ›‘οΈ Add Expect-CT header to monitor and report security issues effectively.

  • 🌐 Configure server headers to limit information exposure and improve security scan results.Here's a concise summary of the provided text:

  • πŸ’» Security headers in the web config are being improved.

  • πŸ”’ Cloudflare SSL certificates are used, but additional server-level SSL is needed.

  • πŸͺ HTTP cookies require SSL, especially for e-commerce sites.

  • πŸ” Anonymous identification settings are adjusted for security.

  • πŸ”„ Enable version headers are set to false in HTTP runtime.

  • πŸͺ Additional cookies are named and prefixed for security.

  • πŸ“± Mobile view site cookies are renamed for security.

  • 🚧 Some cleanup includes deleting unnecessary folders like "documentation" and "licenses."

Β 
Β 

Watch the Southern Fried DNN User Group June 2022 Meeting:


Β 

About the SouthernFried DNN User Group

Even though our DNN user group is nestled in the Carolinas, we are really YOUR DNN User Group regardless of your Southern heritage or lack thereof. Everyone is invited to attend in person or to join us online! We always try to broadcast the meeting so everyone can participate. Register now for the online meeting details for those of you wanting to join online

Β 



moorecreative
moorecreative
moorecreative's Blog


blog comments powered by Disqus
The Southern Fried DNN user group and our proud sponsors are here to help you!

Sign Up For Alerts

Keep up on our activities and meetings. Join the Meet-Up list for reminders, group announcements and alerts.

Join SoFri MeetUp

About The User Group

The Southern Fried DNN User Group meets the Third Thursday of Every Month to discuss DotNetNuke tips, topics and camaraderie. The group is for DNN developers, administrators and users, and for everyone interested in learning more!

Get in touch

Follow Us