Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

What are the best ASP.net practices to keep my website secure?

user-image
Question added by George Durzi , Digital Marketing Manager , Dyson
Date Posted: 2013/04/25
Ashraf Sabry
by Ashraf Sabry , Freelancer developer , N/A

This is a big subject. Here're some points atop of my mind: - Always use both encryption and validation for your authentication cookies (forms tag of web.config). - Encrypt your viewstate (if you're using WebForms). - Don't store passwords in plain text in database. Store their hashes. - Always treat input from the user as malicious. Don't use input from controls, URL parameters (query string) or cookies without sanitizing it against SQL and script injections. - When dealing with database, use command parameters (SqlParameter for example) if you use plain ADO.Net, or use an ORM like Entity Framework. DO NOT concatenate SQL using input from users. - Use protection and sanitization libraries like AntiXSS (https://wpl.codeplex.com/), and AntiCSRF (http://anticsrf.codeplex.com/) - For the more paranoid. Disable the HTTP headers that disclose the technologies you use. ASP.Net for example adds a Powered By ASP.Net x.x header. - Follow security specialists like Troy Hunt (http://www.troyhunt.com/). He made a wiki specially for the subject (but I can't find it now. Sorry), and a security audit tool (https://asafaweb.com/)

More Questions Like This