Umbraco makes it easy to protect your site from clickjacking by providing an option to the user to turn on the protection in its backoffice. If you navigate to the Developer section of Umbraco backoffice, Where you can find Health Check tab, in which one of the section is "Security", Inside security, there is one section for Click-Jacking Protection. If you check the security group and you can see the warning related to Click-Jacking, and you can enable protection from there itself with the click of a button, which basically adds following to your system.webServer section in web.config ,
<httpProtocol> <customHeaders> <remove name="X-Powered-By" /> <remove name="X-Frame-Options" /> <add name="X-Frame-Options" value="sameorigin" /> </customHeaders> </httpProtocol>
Setting X-Frame-Options to sameorigin make the page can only be displayed in a frame on the same origin as the page itself. Also, we can set it to DENY if wanted but then we have to exclude umbraco path since umbraco backoffice have iframes.
Also, make sure you have updated web.config in your source code (version control) if you enabled clickjacking protection via backoffice. Otherwise on your next web deploy, the web.config on the host server will be overwritten with the source code version.
About the author
Adding rewrite rules in release config is handy so that it will not affect during Debug mode.
When considering SEO, either you have to stick with www versioned url or non-www URLs. Having both accessible for a domain is a bad practice.
This article describes how to get the CurrentPage of Umbraco in a partial view.
My personal favorite list of packages/plugins I use when I build an Umbraco website.
Use IIS rewrite rule to redirect (301) all www requests to non-www.
Use IIS Rewrite rule to redirect all HTTP request to HTTPS.
Abhith Rajan's 2017 year in review.
Use the provided rewrite rule to redirect HTTPS requests to HTTP.
Restrict access to your website using IIS IP security
In this post, I am sharing one of my security bug hunting experience in an older ASP.NET web form project.