Defensive techniques for ASP.MVC for internet facing site.

views:

answers:

Defensive techniques for ASP.MVC for internet facing site.

I am working on my first asp MVC project that will ultimately end up on a publicly accessible web server (I have worked on some internal apps in MVC). What techniques, practices should I be thinking about (specific to MVC or otherwise) to improve security.

Off the top of my head obviously there is the AcceptVerb attribute for actions and Validation what else?

+1 A:

Anti Forgery Token :)

brianng 2009-12-03 15:19:40

Ah yes, had a fun time with this with JQuery ajax posts. See my other post http://stackoverflow.com/questions/1786500/using-validateantiforgerytoken-with-ajax-actionlink

Michael Gattuso 2009-12-03 15:24:51

+1 A:

A couple of points:

Encode every user input
Use anti forgery tokens
Use POST verbs for every request that modifies state

Darin Dimitrov 2009-12-03 15:20:17

+1 A:

The Windows Live team has written a white-paper describing lessons learned using ASP.NET MVC on certain Windows Live properties. They do a lot of security analysis and present their security tips here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7606f801-70c5-49ca-a18c-91d4ed725833&displaylang=en

Haacked 2009-12-04 18:02:12

An interesting read. Thanks for linking.

Michael Gattuso 2009-12-04 20:25:11

ansaurus

tags:

views:

answers:

Defensive techniques for ASP.MVC for internet facing site.

related questions