Consolidate all security settings into web.confg

Dotnet-Boxed / Templates

.NET project templates with batteries included, providing the minimum amount of code required to get you going faster.

https://RehanSaeed.com

MIT License

3.39k stars 489 forks source link

Consolidate all security settings into web.confg #80

Closed sergy79 closed 8 years ago

sergy79 commented 8 years ago

Hello, I recently noticed the current template ASP MVC 4.6 version has a lot of scattered security settings across the template. Which makes it very easy to miss, and it happened to us for the longest time over nuget updates, where it slipped into the production site.

So, in keeping with configuration over convention keeping the settings, I want to recommend consolidating the security settings into the web.config. At the same time I would be interested in hearing out your thoughts on why it be better to put some of those in the code itself.

Thanks Sergy

RehanSaeed commented 8 years ago

Yes, it's difficult because you have to specify them in so many places. I'd be interested to hear what security setting in particular that was missed.

With NWebSec, you can actually configure it in Web.config but I feel that this is not the best way for a number of reasons:

Web.config settings are applied accross the whole site whereas using the filters you can apply them accross the site or on individual controllers and actions. Particularly useful for CSP.
MVC 6 drops Web.config, so you have to use filters or middleware. It would be a harder transition for people.
This is personal preference but I hate the Web.config file. It's already very long. I love that it is almost irrelevant in MVC 6.

With the other settings I'd have to write something myself. With MVC 6 I think some of this problem has gone away.

sergy79 commented 8 years ago

Interesting points, and valid if its dropped in ASP 6 :+1:

I was not talking about you, but on my side we missed some settings during our upgrades and noticed it was hard to keep track.

For simplicity, I think the option to keep everything in a central location ( IMHO messy is better that missing it totally)

Would you be open to having your own XML or JSON file for configuration? or any ideas

RehanSaeed commented 8 years ago

It would be nice to do but unfortunately security is really really hard and I think if I did something like that it might not be very configurable (Sometimes you just need to write some code instead of using config).

Re-open if you have any ideas.

sergy79 commented 7 years ago

I notice nuget and source code for ASP MVC 5 is out of date, any updates

Can you add throttling too

RehanSaeed commented 7 years ago

Can you be more specific? What exactly is out of date? No plans to add new features the MVC 5 template at the moment except maybe upgrading to jQuery 3.0.