Unless you are running ancient IIS asp.net this should apply to most versions.
X-Frame-Options
IIS Manager
HTTP Response Headers
X-Frame-Options SAMEORIGIN
HTTP Options
IIS Manager
Request Filtering
HTTP Verbs
OPTIONS False (Deny Verb OPTIONS)
Weak SSL Ciper
IISCrypto.exe third party tool
https://www.nartac.com/Products/IISCrypto/
Just press the 'Best Practices' button and reboot.
Autocomplete Enabled on Password FieldEdit ASP.NET Login Pages
Edit login template (may have to turn asp:Login into template to see child controls)
<asp:TextBox ID="Password" runat="server" AutoCompleteType="Disabled" autocomplete="off" TextMode="Password"></asp:TextBox>
You would think AutoCompleteType="Disabled" would do it but ultimately I have no idea what it does.
Thankfully autocomplete="off" gets preserved if you just drop it in.
Secure Flag on CookiesASP.NET Website web.config
Add these SSL attributes where needed:
<system.web>
<httpCookies requireSSL="true" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Default.aspx" requireSSL="true" />
</authentication>
<anonymousIdentification enabled="true" cookieRequireSSL="true" />
<roleManager enabled="true" defaultProvider="CustomRoleProvider" cookieRequireSSL="true">
...
</roleManager>
</system.web>
I would have prefered to do this in the root Web.Config to get this to work but I could not.
For development I sometimes use:
<appSettings file="diff\config\AppSettings.config">
and
<connectionStrings configSource="diff\config\Connection.config"/>
in the web.config so I can have a generic web.config for both production and development.
However I would have to develop using SSL from now on to keep using this approach.