Posted   by 

Secure Web Pages In Web.config

The mixed content resource that was loaded via HTTP will show up in red, along with the text 'mixed content', which links to this page. As well as finding these warnings in the Web Console, you could use Content Security Policy (CSP) to report issues. Configuring URL Authorization for a single web page. Now we still have the problem left that Alice can still access BobsSecret.aspx. Here is how you fix it: Double click the 'Secure' web directory again and select 'Content View' at the bottom of the page. You will see a list of files in the secure folder namely 'default.aspx' and 'bobsSecret.aspx'.

  1. Creating Secure Web Pages
  2. Secure Web Browser

Online security is a critically important, and yet often underappreciated, aspect of a website's success.

Setting authorization rules for a particular page or folder in web config. Outstanding:) weblogs.asp.net - Monday, May 23, 2011 3:22:17 AM; I've putted my pages authorization in main web.config file but its not working, i've 1 page inside Forms folder which is Test.aspx in my root web.config before i've putted the below tag. To secure a site's transmission (both from the site to visitors and from the visitors back to your web server), that site will need to use HTTPS — or HyperText Transfer Protocol with Secure Sockets Layer, or SSL. HTTPS is a protocol to transfer encrypted data over the Web.

If you're going to run an online store or an E-commerce website, you will obviously want to ensure customers that the information they give you on that site, including their credit card number, is handled securely. Website security is not just for online stores, however. While E-commerce sites and any others that deal with sensitive information (credit cards, social security numbers, financial data, etc.) are obvious candidates for secure transmissions, the truth is that ALL websites can benefit from being secured.

To secure a site's transmission (both from the site to visitors and from the visitors back to your web server), that site will need to use HTTPS — or HyperText Transfer Protocol with Secure Sockets Layer, or SSL. HTTPS is a protocol to transfer encrypted data over the Web. When someone sends you data of any kind, sensitive other otherwise, HTTPS keeps that transmission secure.

There are two primary differences between an HTTPS and an HTTP connection work:

  • HTTPS connects on port 443, while HTTP is on port 80.
  • HTTPS encrypts the data sent and received with SSL, while HTTP sends it all as plain text.

Most customers of online stores know that they should look for the 'https' in the URL and to seek out the lock icon in their browser when they are making a transaction. If your storefront is not using HTTPS, you will lose customers and you will also possibly open yourself and your company up to serious liability should your lack of security compromise someone's private data. This is why pretty much any online store today is using HTTPS and SSL — but as we have just stated, using a secure website is not only for E-commerce sites anymore.

On today's Web, all sites can benefit from SSL usage. Google actually recommends this for sites today as a way to authenticate that the information on that site is, indeed, coming from that company and is not someone trying to spoof the site somehow. As such, Google is now rewarding sites that do use an SSL, which is yet another reason, on top of improved security, to add this to your website.

Sending Encrypted Data

As mentioned above, HTTP sends the data collected over the Internet in plain text. This means that if you have a form asking for a credit card number, that credit card number can be intercepted by anyone with a packet sniffer. Since there are many free sniffer software tools available, this could be done anyone at all with very little experience or training. By collecting information over an HTTP (not HTTPS) connection, you are taking a risk that this data could be intercepted and, since it is not encrypted, used by a thief.

What You Need to Host Secure Pages

There are only a couple of things you need in order to host secure pages on your website:

  • A Web server such as Apache with mod_ssl that supports SSL encryption.
  • A Unique IP address — this is what the certificate providers use to validate the secure certificate.
  • An SSL Certificate from an SSL certificate provider.

If you aren't sure about the first two items, you should contact your Web hosting provider. They will be able to tell you if you can use HTTPS on your Web site. In some cases, if you are using a very low-cost hosting provider, you may need to switch hosting companies or upgrade the service you use at your current company in order to get the SSL protection you need. If this is the case — make the change. The benefits of using SSL are worth the added expense of an improved hosting environment.

Once You've Got Your HTTPS Certificate

Once you have purchased an SSL certificate from a reputable provider, your hosting provider will need to set up the certificate in your web server so that every time a page is accessed via the https:// protocol, it hits the secure server. Once that is set up, you can start building your Web pages that need to be secure. These pages can be built the same way that other pages are, you just need to make sure you link to HTTPS instead of HTTP if you are using any absolute link paths on your site to other pages.

If you already have a website that was built for HTTP and you have now changed to HTTPS, you should be all set as well. Just check the links to make sure any absolute paths are updated, including paths to image files or other external resources like CSS sheets, JS files, or other documents.

Here are some more tips for using HTTPS:

  • Point to all Web forms on the https:// server. Whenever you link to Web forms on your Web site, get in the habit of linking to them with the full server URL including the https:// designation. This will ensure that they always are secured.
  • Use relative paths to images on secured pages. If you use a full path (http://www...) for your images, and those images are not on the secure server, your customers will get error messages that say things like: 'Insecure data found. Continue?' This can be disconcerting, and many people will stop the purchase process when they see that. If you use relative paths, your images will be loaded from the same secure server as the rest of the page.
18 Dec 2011CPOL
Complete description about the ASP.NET configuration. This article helps you to understand the web.config file in a better way and also helps you to program against it.

Introduction

The time you start developing your web application until you finish the application, you will more often use the Web.config file not only for securing your application but also for wide range of other purposes which it is intended for. ASP.NET Web.config file provides you a flexible way to handle all your requirements at the application level. Despite the simplicity provided by the .NET Framework to work with web.config, working with configuration files would definitely be a task until you understand it clearly. This could be one of the main reasons that I started writing this article.

This article would be a quick reference for the professional developers and for those who just started programming in .NET. This article would help them to understand the ASP.NET configuration in an efficient way. The readers may skip the reading section 'Authentication, Authorization, Membership Provider, Role Provider and Profile Provider Settings', as most of them are familiar with those particular settings.

Pages

Background

In this article, I am going to explain about the complete sections and settings available in the Web.config file and how you can configure them to use in the application. In the later section of the article, we will see the .NET classes that are used to work with the configuration files. The contents of the articles are summarized below:

  1. Web.config sections/settings
  2. Reading Web.config
  3. Writing or manipulating Web.config
  4. Encrypting the Web.config and
  5. Creating your own Custom Configuration Sections

Points to be Remembered

ASP.NET Web.config allows you to define or revise the configuration settings at the time of developing the application or at the time of deployment or even after deployment. The following are brief points that can be understood about the Web.config file:

  • Web.config files are stored in XML format which makes us easier to work with.
  • You can have any number of Web.config files for an application. Each Web.config applies settings to its own directory and all the child directories below it.
  • All the Web.config files inherit the root Web.config file available at the following location systemrootMicrosoft.NETFrameworkversionNumberCONFIGWeb.config location
  • IIS is configured in such a way that it prevents the Web.config file access from the browser.
  • The changes in Web.config don’t require the reboot of the web server.

Web.config Settings

Before we start working with configuration settings of ASP.NET, we see the hierarchy of the Web.config file.

So from the above tree structure, we can understand that the configuration tag is the root element of the Web.config file under which it has all the remaining sub elements. Each element can have any number of attributes and child elements which specify the values or settings for the given particular section. To start with, we’ll see the working of some of the most general configuration settings in the Web.config file.

system.web

In the configuration hierarchy, the most common thing we will work with is the system.web section. Now we look at some of the child sections of the system.web section of Web.config file.

Compilation Settings

If you are using Visual Studio 2010, probably the only available section of Web.config file by default is Compilation section. If you want to specify the target framework or if you need to add an assembly from the Global Assembly Cache (GAC) or if you want to enable the debugging mode of the application, you can take Compilation settings as granted for these tasks. The following code is used to achieve the discussed settings:

Under the assemblies element, you are supposed to mention the type, version, culture and public key token of the assembly. In order to get the public key token of an assembly, you need to follow the below mentioned steps:

  1. Go to Visual Studio tools in the start menu and open the Visual Studio command prompt.
  2. In the Visual Studio command prompt, change the directory to the location where the assembly or .dll file exists.
  3. Use the following command, sn –T itextsharp.dll.
  4. It generates the public key token of the assembly. You should keep one thing in mind that only public key token is generated only for the assemblies which are strongly signed.

Example

Explicit and sample attributes are applicable only to VB.NET and C# compiler however ignores these settings.

Page Settings

Ok, by this time, we have got familiar with the Web.config file and we have seen the settings of Compilation Sections, now we will see the settings of a page. As an ASP.NET application consists of several number of pages, we can set the general settings of a page like sessionstate, viewstate, buffer, etc., as shown below:

By using the MasterPageFile and theme attributes, we can specify the master page and theme for the pages in web application.

Custom Error Settings

The next section of Web.config file, we are going to look around is Custom Error settings, by the name itself it is clear that we can configure the settings for the application level errors in these section. Now we will see the description of the customErrors section of the Web.config from the below mentioned code snippet.

The customErrors section consists of defaultRedirect and mode attributes which specify the default redirect page and the on/off mode respectively.
The subsection of customErrors section allows redirecting to specified page depending on the error status code.

  • 400 Bad Request
  • 401 Unauthorized
  • 404 Not Found
  • 408 Request Timeout
Pages

For a more detailed report of status code list, you can refer to this URL:

Location Settings

If you are working with a major project, probably you might have numerous numbers of folders and sub-folders, at this kind of particular situation, you can have two options to work with. First thing is to have a Web.config file for each and every folder(s) and Sub-folder(s) and the second one is to have a single Web.config for your entire application. If you use the first approach, then you might be in a smoother way, but what if you have a single Web.config and you need to configure the sub-folder or other folder of your application, the right solution is to use the 'Location' tag of 'system.web' section of Web.config file. However you can use this tag in either of the discussed methods.

The following code shows you to work with Location settings:

Creating Secure Web Pages

In a similar way, you can configure any kind of available settings for any file/folder using the location tag.

Session State and View State Settings

As we all know, the ASP.NET is stateless and to maintain the state we need to use the available state management techniques of ASP.NET. View state and session state are among them. For complete information about view state and Session State and how to work with, there are some excellent articles in CodeProject, which you can refer here:

Now we'll see the Web.config settings of View State and Session State:
View State can be enabled or disabled by using the following page settings in the web.config file.

Session state settings for different modes are as shown below:

HttpHandler Settings

HttpHandler is a code that executes when an http request for a specific resource is made to the server. For example, request an .aspx page the ASP.NET page handler is executed, similarly if an .asmx file is requested, the ASP.NET service handler is executed. An HTTP Handler is a component that handles the ASP.NET requests at a lower level than ASP.NET is capable of handling.

You can create your own custom http handler, register it with IIS and receive notice whenever a request is made. For doing this, you just need to create a class which implements IHttpHanlder and then you need to add the following section of configuration settings in the web.config file. For this demonstration, I have created a sample imagehandler class which displays a JPG image to the browser.You can go through the imagehandler class code in the sample download code.

HttpModule Settings

HttpModule is a class or an assembly that implements the IHttpModule interface that handles the application events or user events. You can too create your own custom HttpModule by implementing the interface and configure it with ISS. The following settings show the HttpModules configuration in the web.config.

Authentication, Authorization, Membership Provider, Role Provider and Profile Provider Settings

These settings are directly available in the web.config file if you have created the ASP.NET application by using the Visual Studio 2010. I'm not going to elaborate them as there are lot of articles in CodeProject describing the functionality and use of these settings and for further information you can refer to them. Some of the links are here:

Authentication Settings

Authorization Settings

Membership Provider Settings

Role Provider Settings

Profile Provider Settings

AppSettings

In the above section, we have seen the settings available in system.web tag, now we will see the available settings in appSettings section.
appSettings element helps us to store the application settings information like connection strings, file paths, URLs, port numbers, custom key value pairs, etc.
The following code snippet shows the example of appSettings Section:

Load

connectionStrings

The most common section of web.config file the connectionStrings sections allows you to store multiple connection strings that are used in the application. The connectionStrings tag consists of child element with attributes name and connectionstring which is used to identify the connectionstring and the other is used to connect to the database server respectively.

The general connectionstring settings are shown below:

ConfigSections

ConfigSections helps you to create your own custom configuration section that can be used with the web.config file. We look at this in the later section of the article, for the time being, we can have look at the configsection settings. ConfigSections should be declared just below the configuration (parent element) otherwise it is going through you an error.

Programmatically Accessing the Web.config File

We can use the C# classes to read and write the values to the Web.config file.

Reading appSettings values

The following code is used to read the appSettings values from Web.config file. You can use either of the methods shown below:

Reading connectionstring values

The following code is used to read the connectionstring values from Web.config file. You can use either of the methods shown below:

Reading configuration section values

The following code is used to read the configuration section values from Web.config file. The comments in the code will help you to understand the code:

Update the configuration section values

The following code is used to read the configuration section values from Web.config file:

Encrypt Configuration Sections of Web.config File

As we have already discussed that IIS is configured in such a way that it does not serve the Web.Config to browser, but even in some such situation to provide more security, you can encrypt some of the sections of web.config file. The following code shows you the way to encrypt the sections of web.config file:

Secure Web Browser

Custom Configuration Section in Web.config

I have thought twice before I could put this section of content in this article, as there are a lot of wonderful articles explaining this topic, but just to make this article as complete, I have included this topic too.

Create Custom Configuration Section

The ConfigurationSection class helps us to extend the Web.config file in order to fulfill our requirements. In order to have a custom configuration section, we need to follow the below steps:

Before we actually start working with it, we will have a look at the section settings. We need to have a ProductSection element with child elements girdSettings and color. For this purpose, we will create two classes with the child elements which inherits ConfigurationElement as shown below:

... and then we will create a class called ProductSection, for the root element which includes the above child elements.

Then finally, we will configure these elements in Web.config file as shown below:

Access Custom Configuration Section

The following code is used to access the custom configuration section:

Conclusion

In this article, we have learned about the ASP.NET configuration file and we have seen almost all the available and frequently used settings of web.config file. I hope you enjoyed reading this article and this article might have helped you in completing your tasks in some way. Any comments, suggestions and feedback are always welcome, which will help me to write more articles and improve the way in which I present the articles.