Skip to content

Security Considerations (Access, Firewalls, SSL Certificate)

Access Control

  • Use IIS and network firewalls to restrict access to the application where appropriate (e.g. VPN or IP whitelisting).
  • Ensure that only authorised users can access login pages and the application.

Authentication & Authorisation

  • The application uses ASP.NET membership and roles; ensure:
  • Strong password policies are enforced.
  • User provisioning and de-provisioning processes are in place.
  • Role assignments reflect least-privilege principles.

Network Security

  • Firewalls:
  • Restrict inbound traffic to HTTP/HTTPS ports required for the site.

  • Restrict outbound traffic to necessary services (database, SMTP).

  • Database:

  • Restrict SQL Server access to the web server and trusted admin networks only.

SSL / TLS

  • Install a valid SSL certificate for the application domain.
  • Configure IIS to:
  • Prefer HTTPS.
  • Optionally redirect HTTP to HTTPS.

Configuration Secrets

  • Avoid storing live credentials (DB and SMTP passwords) in cleartext where possible.
  • If required, protect web.config sections using IIS / ASP.NET configuration encryption or infrastructure secrets management.

Any security audits, penetration tests, or compliance requirements (e.g. POPIA, GDPR where applicable) should reference this section.