This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP ASP.NET MVC Boilerplate Project"

From OWASP
Jump to: navigation, search
(Created page with "=Main= <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">link=</div> {| style="padding: 0;margin:0;margin-top:10px;t...")
 
 
(9 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
  
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
+
==ASP.NET MVC Boilerplate Project==
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+
The default ASP.NET MVC project template uses insecure defaults and omits many security features altogether. ASP.NET MVC Boilerplate is a Visual Studio project template that enables security features by default and adds liberal comments and links to further resources to help developers (Who often do not have a lot of knowledge on the subject) get started.
 
+
[[File:New_Project.png|center]]
<span style="color:#ff0000">
 
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
 
</span>
 
 
 
==OWASP ASP.NET MVC Boilerplate Project==
 
<span style="color:#ff0000">
 
This section should include an overview of what the project is, why the project was started, and what security issue is being addressed by the project deliverable. Some readers may be discouraged from looking further at the project if they do not understand the significance of the security concern that is being addressed, so provide enough context so the average reader will continue on with reading the description. You shouldn't assume the reader will understand the objective by providing security terminology, e.g. this project builds cryptographic algorithms, but should also endeavor to explain what they are used for.
 
</span>
 
 
 
  
 
==Description==
 
==Description==
 
 
 
A professional ASP.NET MVC template for building secure, fast, robust and adaptable web applications or sites. It provides the minimum amount of code required on top of the default MVC template provided by Microsoft to provide security by default.
 
A professional ASP.NET MVC template for building secure, fast, robust and adaptable web applications or sites. It provides the minimum amount of code required on top of the default MVC template provided by Microsoft to provide security by default.
 +
[[File:Preview_Image.png|650px|center]]
  
==Licensing==
+
===Better Defaults===
  
 +
The default MVC template provided by Microsoft is not as secure as it could be. There are various settings (Mostly in the web.config file) which are insecure by default. For example, it leaks information about which version of IIS you are using and allows external scripts to access cookies by default! ASP.NET MVC Boilerplate makes everything secure by default.
  
This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.  } {Year(s)}. 
+
===TLS and HTTPS===
  
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
Setting up TLS, so that your site runs over HTTPS is very difficult in ASP.NET MVC as it requires several steps to do it correctly. ASP.NET MVC Boilerplate makes this easy with step by step instructions and links.
  
== Project Resources ==
+
===HTTP Headers===
<span style="color:#ff0000">
 
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.
 
</span>
 
  
 +
Several HTTP headers are also used to provide better security using the [https://nwebsec.codeplex.com/ NWebSec] NuGet packages:
  
 +
# [https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy Content Security Policy (CSP)].
 +
# [https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security Strict-Transport-Security (HSTS)]
 +
# [https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning Public-Key-Pins (HPKP)]
 +
# [http://rehansaeed.com/nwebsec-asp-net-mvc-security-through-http-headers/ X-Content-Type-Options]
 +
# [http://rehansaeed.com/nwebsec-asp-net-mvc-security-through-http-headers/ X-Download-Options]
 +
# [http://rehansaeed.com/nwebsec-asp-net-mvc-security-through-http-headers/ X-Frame-Options]
  
== Project Leader ==
+
===Subresource Integrity (SRI)===
  
 +
ASP.NET MVC Boilerplate has [http://rehansaeed.com/subresource-integrity-taghelper-using-asp-net-core/ Subresource Integrity (SRI)] implemented by default using a custom ASP.NET MVC 6 TagHelper.
  
[mailto:[email protected] Muhammad Rehan Saeed]
+
===Detailed Comments===
  
== Related Projects ==
+
ASP.NET MVC Boilerplate provides detailed comments and links to official documentation explaining all of the security features.
<span style="color:#ff0000">
 
This is where you can link to other OWASP Projects that are similar to yours.  
 
</span>
 
  
 +
===Security Check-List===
  
 +
ASP.NET MVC Boilerplate provides a check-list of steps the developer needs to take to secure the site.
  
==Classifications==
+
===Fingerprint Resistant===
  
  {| width="200" cellpadding="2"
+
ASP.NET MVC Boilerplate attempts to thwart fingerprinting tools by removing the IIS and .NET version HTTP headers and also changing several defaults including session and anti-forgery cookie names.
  |-
 
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 
  |-
 
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
 
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] 
 
  |-
 
  | colspan="2" align="center"  | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
 
  |}
 
  
| valign="top"  style="padding-left:25px;width:200px;" |
+
===Dynamic IP Security===
  
== News and Events ==
+
ASP.NET MVC Boilerplate enables IIS Dynamic IP Security to limit the maximum number of concurrent requests to thwart DDOS attacks.
<span style="color:#ff0000">
 
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.  
 
</span>
 
 
  
|}
+
==Licensing==
  
=FAQs=
+
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/RehanSaeed/ASP.NET-MVC-Boilerplate/blob/master/LICENSE GNU Affero General Public License 2.0] as published by the Free Software Foundation 2015.
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
 
</span>
 
  
 +
== Project Resources ==
 +
<ul>
 +
<li>
 +
[https://github.com/RehanSaeed/ASP.NET-MVC-Boilerplate GitHub Project Home Page] where you can view source code, log issues and view the change log.
 +
</li>
 +
<li>
 +
[https://visualstudiogallery.msdn.microsoft.com/6cf50a48-fc1e-4eaf-9e82-0b2a6705ca7d Visual Studio Gallery] where you can install the project template, rate/review it.
 +
</li>
 +
<li>
 +
[http://rehansaeed.com/asp-net-mvc-boilerplate/ My RehanSaeed.com] blog where I post articles detailing features of the project. The project template itself links to many of the articles so that developers can get detailed information if they need it.
 +
</li>
 +
</ul>
  
 +
== Project Leader ==
 +
[http://rehansaeed.com Muhammad Rehan Saeed]
  
= Acknowledgements =
+
==Classifications==
==Volunteers==
+
[[File:Project_Type_Files_CODE.jpg|link=]]
 +
[[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
 +
[[File:Owasp-builders-small.png|link=Builders]] 
 +
[[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
== News and Events ==
 
+
Read all of the blog articles about this project [http://rehansaeed.com/asp-net-mvc-boilerplate/ here].
* [mailto:rehansaeed@gmail.com Muhammad Rehan Saeed]
+
 
 
 
 
= Road Map and Getting Involved =
 
 
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going as well as areas that volunteers may contribute. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
 
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.  
 
</span>
 
 
==Roadmap==
 
==Roadmap==
 
+
As ASP.NET MVC evolves and many of the JavaScript libraries release new updates, this project template needs constant updates. It is intended that this project template remain as current as possible. I would like to add more security features to the site template and add more documentation and helper comments.
 
 
I would like to add more security features to the site template and add more documentation and helper comments. The intention is to keep it up to date also.
 
  
 
==Getting Involved==
 
==Getting Involved==
 
+
All are welcome to get involved. Simply visit the GitHub site and raise a pull request for your code.
  
 
=Minimum Viable Product=
 
=Minimum Viable Product=
 
+
A Visual Studio Project Template which you can download [https://visualstudiogallery.msdn.microsoft.com/6cf50a48-fc1e-4eaf-9e82-0b2a6705ca7d here]
 
 
A Visual Studio Project Template
 
https://visualstudiogallery.msdn.microsoft.com/6cf50a48-fc1e-4eaf-9e82-0b2a6705ca7d
 
 
 
 
 
 
 
  
 
__NOTOC__ <headertabs />  
 
__NOTOC__ <headertabs />  
  
 
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Code]]
 
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Code]]

Latest revision as of 10:59, 17 April 2016

OWASP Project Header.jpg

ASP.NET MVC Boilerplate Project

The default ASP.NET MVC project template uses insecure defaults and omits many security features altogether. ASP.NET MVC Boilerplate is a Visual Studio project template that enables security features by default and adds liberal comments and links to further resources to help developers (Who often do not have a lot of knowledge on the subject) get started.

New Project.png

Description

A professional ASP.NET MVC template for building secure, fast, robust and adaptable web applications or sites. It provides the minimum amount of code required on top of the default MVC template provided by Microsoft to provide security by default.

Preview Image.png

Better Defaults

The default MVC template provided by Microsoft is not as secure as it could be. There are various settings (Mostly in the web.config file) which are insecure by default. For example, it leaks information about which version of IIS you are using and allows external scripts to access cookies by default! ASP.NET MVC Boilerplate makes everything secure by default.

TLS and HTTPS

Setting up TLS, so that your site runs over HTTPS is very difficult in ASP.NET MVC as it requires several steps to do it correctly. ASP.NET MVC Boilerplate makes this easy with step by step instructions and links.

HTTP Headers

Several HTTP headers are also used to provide better security using the NWebSec NuGet packages:

  1. Content Security Policy (CSP).
  2. Strict-Transport-Security (HSTS)
  3. Public-Key-Pins (HPKP)
  4. X-Content-Type-Options
  5. X-Download-Options
  6. X-Frame-Options

Subresource Integrity (SRI)

ASP.NET MVC Boilerplate has Subresource Integrity (SRI) implemented by default using a custom ASP.NET MVC 6 TagHelper.

Detailed Comments

ASP.NET MVC Boilerplate provides detailed comments and links to official documentation explaining all of the security features.

Security Check-List

ASP.NET MVC Boilerplate provides a check-list of steps the developer needs to take to secure the site.

Fingerprint Resistant

ASP.NET MVC Boilerplate attempts to thwart fingerprinting tools by removing the IIS and .NET version HTTP headers and also changing several defaults including session and anti-forgery cookie names.

Dynamic IP Security

ASP.NET MVC Boilerplate enables IIS Dynamic IP Security to limit the maximum number of concurrent requests to thwart DDOS attacks.

Licensing

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License 2.0 as published by the Free Software Foundation 2015.

Project Resources

  • GitHub Project Home Page where you can view source code, log issues and view the change log.
  • Visual Studio Gallery where you can install the project template, rate/review it.
  • My RehanSaeed.com blog where I post articles detailing features of the project. The project template itself links to many of the articles so that developers can get detailed information if they need it.

Project Leader

Muhammad Rehan Saeed

Classifications

Project Type Files CODE.jpg Incubator Project Owasp-builders-small.png Affero General Public License 3.0

News and Events

Read all of the blog articles about this project here.

Roadmap

As ASP.NET MVC evolves and many of the JavaScript libraries release new updates, this project template needs constant updates. It is intended that this project template remain as current as possible. I would like to add more security features to the site template and add more documentation and helper comments.

Getting Involved

All are welcome to get involved. Simply visit the GitHub site and raise a pull request for your code.

A Visual Studio Project Template which you can download here