Application Server Hardening
Like web servers, application servers are flexible in their configuration. This flexibility allows them to be integrated into diverse environments. However, in many cases the out-of-the-box installation will not be hardened for Internet usage. Steps need to be taken to configure these servers so that they are secure. The following are some hardening guidelines for application servers.
Java and .NET
The following are hardening recommendations for all next generation web application servers, but particularly for Java and .NET servers.
Hardening guidelines
Run all applications over SSL.
Do no rely on client-side validation. Make input validation decisions on the server.
Use the HttpOnly cookie option to help protect against cross-site scripting.
Plan how authentication and access controls work before implementation.
Employ role-base authorization checks for resources such as pages and directories.
Divide the file structure of the site into public and restricted areas and provide proper authentication and access controls to restricted areas.
Validate all input for type, length, and format. Employ positive validation and check for known acceptable data before filtering for bad data.
Handle exceptions securely by not providing debug or infrastructure details as part of the exception.
Use absolute URLs when sites contain secure and unsecure items.
Ensure parameters used in SQL statements or data access codes are validated for length and type of data to help prevent ...