Web.config security related configuration

web.config is located in the root directory

1, authentication node

<system.web>

<!--Configuring the secure identity used by ASP.NET Verify the mode to identify incoming users. -->

<authentication mode="Forms">

<forms loginUrl="~/User/Login.aspx" name=".ASPXAUTH" defaultUrl ="User/Default.aspx" timeout="30" path="/"/>

</authentication>

Forms-based identity Verify the configuration site. When a non-logged-in user accesses a webpage that requires authentication, the webpage automatically jumps to the login webpage. The element loginUrl represents the name of the login web page, the name represents the cookie name

2, the authorization node

<!--Configure the authorization of the web application to control the client's access to the URL resource . -->

<authorization>

<allow users="*"/>

<deny users="?"/>

</authorization>

allow Adds a rule to the authorization rule map that allows access to resources.

deny adds an authorization rule that denies access to resources to the authorization rule map.

user="*" means that any user users="?" refers to authenticated users

Note: At runtime, the authorization module is from the most local configuration file To begin, iterate through the allow and deny elements until it finds the first access rule that fits a particular user account. The authorization module then allows or denies access to the URL resource based on whether the first access rule found is an allow or deny rule. The default authorization rule is <allow users="*"/>. Therefore, access is allowed by default unless otherwise configured.

If the web.config configuration in the root directory is too cumbersome, you can configure it to the appropriate directory, for example, the web.config file in the User directory

3. customErrors node

<customErrors mode="Off">

</customErrors>

<customErrors defaultRedirect="url"

mode="On