What are others ASP.NET Security Best Practices?
So far identified are listed here:
Always generate new encryption keys and admin passwords whenever you are moving an application to production.
Never store passwords directly or in encrypted form. Always stored one way hashed passwords.
Always store connection strings in tag of Web.config and encrypt it in configuration section by using protected configuration providers (RSA or DPAPI). See example here
Use user ID with least-privilege to connect to SQL server or the database you are using. E.g if you are only executing stored procedures from a certain module of application then you must create a user ID which has permissions to execute only.
Use PrincipalPermission if you want to use role-base security on pages.
[PrincipalPermission(SecurityAction.Demand, Role="Admin")] public class AdminOnlyPage : BasePageClass { // ... }
Always use parameters to prevent SQL Injection in the SQL queries.
- Consider installing URLScan on your IIS servers to protect against SQL Injection. Also, for protecting against XSS attacks. You can use MSFT's AntiXSS library instead of the built to encode output instead of the built in HtmlEncode found in HttpServerUtility.
Always keep on customErrors in web config to make you errors/exceptions private
<customErrors mode="On" defaultRedirect="MyErrorPage.htm" />
In web applications, always validate the user's inputs for html tags or any scripts.
Never store sensitive information, like passwords in cookies.
- Don't display system error messages, stack traces etc, in case of exception.