First couple of files. Let's see how this looks.

NWebsec · Oct 5, 2015 · 777905f · 777905f
1 parent e0f455a
commit 777905f
Show file tree

Hide file tree

Showing 4 changed files with 139 additions and 11 deletions.
diff --git a/source/conf.py b/source/conf.py
@@ -55,9 +55,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '4.1'
+#version = '4.1'
 # The full version, including alpha/beta/rc tags.
-release = '4.1'
+#release = '4.1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
@@ -91,6 +91,7 @@
 # output. They are ignored by default.
 #show_authors = False
 
+highlight_language='csharp'
 # The name of the Pygments (syntax highlighting) style to use.
 pygments_style = 'sphinx'
 
@@ -110,6 +111,17 @@
 # a list of builtin themes.
 #html_theme = 'alabaster'
 
+# on_rtd is whether we are on readthedocs.org
+import os
+on_rtd = os.environ.get('READTHEDOCS', None) == 'True'
+
+if not on_rtd:  # only import and set the theme if we're building docs locally
+    import sphinx_rtd_theme
+    html_theme = 'sphinx_rtd_theme'
+    html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
+
+# otherwise, readthedocs.org uses their theme by default, so no need to specify it
+
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.

diff --git a/source/index.rst b/source/index.rst
@@ -3,20 +3,46 @@
    You can adapt this file completely to your liking, but it should at least
    contain the root `toctree` directive.
 
-Welcome to NWebsec's documentation!
-===================================
-
-Contents:
+NWebsec - Security libraries for ASP.NET
+========================================
 
 .. toctree::
    :maxdepth: 2
+   :titlesonly:
+   :hidden:
+
+   nwebsec/getting-started
+   nwebsec/libraries
+
+
+NWebsec consists of several security libraries for ASP.NET applications. Consult the [[Documentation]] to see how it works.
+
+You'll find the NWebsec packages on NuGet:
+
+* https://nuget.org/packages/NWebsec/
+* https://nuget.org/packages/NWebsec.Mvc/
+* https://nuget.org/packages/NWebsec.Owin/
+* https://nuget.org/packages/NWebsec.SessionSecurity/
+* https://nuget.org/packages/NWebsec.AzureStartupTasks/
+
+NWebsec/NWebsec.Mvc lets you remove version headers, control cache headers, stop potentially dangerous redirects, and set important security headers. If you're not sure what "security headers" are, check out this blog post: `Security through HTTP response headers <http://www.dotnetnoob.com/2012/09/security-through-http-response-headers.html>`_.
+
+NWebsec.Owin provides OWIN middleware to stop potentially dangerous redirects and set important security headers.
+
+NWebsec.SessionSecurity improves ASP.NET session security. Read more about the improvements in the blog post `Ramping up ASP.NET session security <http://www.dotnetnoob.com/2013/07/ramping-up-aspnet-session-security.html>`_.
+
+`NWebsec.AzureStartupTasks <https://github.com/NWebsec/NWebsec.AzureStartupTasks/wiki>`_ helps you harden the TLS configuration for Azure web role instances. Learn why you need to harden the default TLS configuration in the blog post `Hardening Windows Server 2008/2012 and Azure SSL/TLS configuration <http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html>`_.
+
+Did you now that the SDL requires countermeasures against session fixation attacks, and that certain security headers must set by your web application? No? See [[NWebsec and the SDL]] to learn more.
 
+Check out the `NWebsec demo site <http://www.nwebsec.com/>`_ to see the headers and session security improvements in action.
 
+To keep up with new releases or to give feedback, find `@NWebsec <https://twitter.com/NWebsec>`_ on Twitter. You can also get in touch at nwebsec (at) nwebsec (dot) com.
 
-Indices and tables
-==================
+.. Indices and tables
+.. ==================
 
-* :ref:`genindex`
-* :ref:`modindex`
-* :ref:`search`
+.. * :ref:`genindex`
+.. * :ref:`modindex`
+.. * :ref:`search`
 
diff --git a/source/nwebsec/getting-started.rst b/source/nwebsec/getting-started.rst
@@ -0,0 +1,75 @@
+Getting started with NWebsec
+============================
+NWebsec lets you configure quite a few security headers, some are useful for most applications while others are a bit more specialized. Here's some guidance to get you started.
+
+First, you need to add NWebsec to your application. The easiest way to do this would be to get it through NuGet. Search for *NWebsec* in the package manager GUI, or install it through the console with one of the following commands:
+
+For an MVC3/4/5 app:
+
+..  code-block:: powershell
+
+    Install-Package NWebsec.Mvc
+
+For non-MVC apps use the following:
+
+..  code-block:: powershell
+
+    Install-Package NWebsec
+
+Alternatively, you can get the latest version of the assemblies under `releases <https://github.com/NWebsec/NWebsec/releases>`_ if you want to add them by hand. In that case, refer to [[Configuration]] to also edit the configuration by hand. 
+
+Now it's time to start securing your application! It's good practice to remove the version headers added by ASP.NET and IIS, so you'd want to *suppress version headers* for your web application. The NuGet installation procedure will make some modifications to the web.config to disable version headers.
+
+To avoid various attacks carried out through iframes, the *X-Frame-Options header* should be enabled. MIME sniffing is a source to many problems, including security issues, so you'd want to run with the *X-Content-Type-Options header*.
+
+For applications that run over SSL/TLS, you should most definitely employ the *Strict-Transport-Security header* — instructing the browser to interact with anything on your domain over a secured connection only.
+
+Unless your application needs to redirect users to arbitrary sites on the internet, you'd want *redirect validation* enabled. There might be a few sites you'd want to whitelist for redirects, in particular if you use WIF or Google/Facebook/any other external authentication provider. Consult the [[Configuration]] docs if you run into trouble.
+
+So, for an application running over http the following is a reasonable starting point for your web.config:
+
+..  code-block:: xml
+
+    <configuration>
+    ...
+      <nwebsec>
+        <httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
+          <redirectValidation enabled="true" />
+          <securityHttpHeaders>
+            <x-Frame-Options policy="Deny"/>
+            <x-Content-Type-Options enabled="true" />
+          </securityHttpHeaders>
+        </httpHeaderSecurityModule>
+      </nwebsec>
+    ...
+    </configuration>
+
+If your site is served over https, you'd also want to include the Strict-Transport-Security header, as such (note that the browser will load all content over https for the entire domain when the header is used):
+
+..  code-block:: xml
+
+    <configuration>
+    ...
+      <nwebsec>
+        <httpHeaderSecurityModule xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="NWebsecConfig/HttpHeaderSecurityModuleConfig.xsd">
+          <redirectValidation enabled="true" />
+          <securityHttpHeaders>
+            <x-Frame-Options policy="Deny"/>
+            <strict-Transport-Security max-age="365" />
+            <x-Content-Type-Options enabled="true" />
+          </securityHttpHeaders>
+        </httpHeaderSecurityModule>
+      </nwebsec>
+    ...
+    </configuration>
+
+**Note!** If users can log into you application, you should always run it over https to keep your users safe!
+
+NWebsec lets you add other security headers as well, but these are more tightly coupled to the individual resources in your application. In particular, the *Content-Security-Policy (CSP) header* can significantly improve the security of a web application but also requires great care when you're building a new application from the ground up — even more so if you retrofit it onto an existing application. SendSafely has published two blog posts discussing how they dealt with the challenge, links included for the interested reader:
+
+* `Using Content Security Policy to Prevent Cross-Site Scripting (XSS) <http://blog.sendsafely.com/post/42277333593/using-content-security-policy-to-prevent-cross-site>`_
+* `Retrofitting Code for Content Security Policy <http://blog.sendsafely.com/post/50303516209/retrofitting-code-for-content-security-policy>`_
+
+See [[Configuring Content Security Policy]] to learn how to enable CSP, this is where the real job starts. Good luck! :)
+
+Note also that security headers can be enabled through MVC attributes, refer to [[NWebsec.Mvc]] for details.
diff --git a/source/nwebsec/libraries.rst b/source/nwebsec/libraries.rst
@@ -0,0 +1,15 @@
+NWebsec libraries
+=================
+NWebsec is made up of several libraries available, each with their own documentation.
+
+Check the [[Breaking changes]] if you're upgrading to a new major version.
+
+[[NWebsec]] lets you manage HTTP headers. It can remove version headers, as well as output various security HTTP headers.
+
+[[NWebsec.Mvc]] lets you manage HTTP security headers through MVC attributes.
+
+[[NWebsec.Owin]] lets you manage HTTP security headers through OWIN middleware.
+
+[[NWebsec.SessionSecurity]] improves ASP.NET session security with authenticated session identifiers.
+
+[NWebsec.AzureStartupTasks](https://github.com/NWebsec/NWebsec.AzureStartupTasks/wiki) includes an Azure startup task to harden TLS configuration on Azure web role instances.