Defensive techniques for ASP.MVC for internet facing site

187 views Asked by At

I am working on my first asp MVC project that will ultimately end up on a publicly accessible web server (I have worked on some internal apps in MVC). What techniques, practices should I be thinking about (specific to MVC or otherwise) to improve security.

Off the top of my head obviously there is the AcceptVerb attribute for actions and Validation what else?

3

There are 3 answers

0
Haacked On BEST ANSWER

The Windows Live team has written a white-paper describing lessons learned using ASP.NET MVC on certain Windows Live properties. They do a lot of security analysis and present their security tips here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7606f801-70c5-49ca-a18c-91d4ed725833&displaylang=en

1
brianng On
0
Darin Dimitrov On

A couple of points:

  • Encode every user input
  • Use anti forgery tokens
  • Use POST verbs for every request that modifies state