Unless you are running ancient IIS asp.net this should apply to most versions.
HTTP Response Headers
OPTIONS False (Deny Verb OPTIONS)
Weak SSL Ciper
IISCrypto.exe third party tool
Just press the 'Best Practices' button and reboot.
Autocomplete Enabled on Password Field
Edit ASP.NET Login Pages
Edit login template (may have to turn asp:Login into template to see child controls)
<asp:TextBox ID="Password" runat="server" AutoCompleteType="Disabled" autocomplete="off" TextMode="Password"></asp:TextBox>
You would think AutoCompleteType="Disabled" would do it but ultimately I have no idea what it does.
Thankfully autocomplete="off" gets preserved if you just drop it in.
Secure Flag on Cookies
ASP.NET Website web.config
Add these SSL attributes where needed:
<httpCookies requireSSL="true" />
<forms loginUrl="Login.aspx" defaultUrl="Default.aspx" requireSSL="true" />
<anonymousIdentification enabled="true" cookieRequireSSL="true" />
<roleManager enabled="true" defaultProvider="CustomRoleProvider" cookieRequireSSL="true">
I would have prefered to do this in the root Web.Config to get this to work but I could not.
For development I sometimes use:
in the web.config so I can have a generic web.config for both production and development.
However I would have to develop using SSL from now on to keep using this approach.