Before I enable access to a new site, what steps should be done to make sure it's secure and "production ready"?

So far I have the following:

• logging of errors (via ELMAH)
• SSL is enabled, and I have a redirect from HTTP to HTTPS
• <customErrors mode="RemoteOnly" />
• Compiled without Debug

My current tech stack is IIS7 & ASP.Net MVC3.

I'm sure I'm forgetting or not aware of many other items. Any advice?

1. Protect against sql injection. Use stored procedures OR parameterized sql statements. You can use dynamic sql - but be very careful and if you do - make sure you use parameterized queries and do not form the sql statements 'inline' by appending variables.

2. Protect against cross site request forgery (CSRF) by making sure you use Html.AntiForgeryToken

3. Make sure tracing is turned off

4. Make sure custom errors is turned on so yellow screens of death (ie error details) ar enot displayed to the client.

5. Protect against cross site scripting by making sure any output you display in your system from your model, database, etc. is encoded by using <%: syntax on your aspx pages and simply @XXXX on your mvc 3 pages, as mvc3 encodes everything BY DEFAULT which is a great enhancement over past methods.

6. Make sure there are no test accounts in your database.

7. Ensure no actions can be performed just by the querystring - for instance passing in /MyApp/DeleteUser/10. Require a post to perform an action, and those posts must use Html.AntiForgeryToken and [ValidateAntiForgeryToken] on your controller

8. Ensure that any users editing information on your page cannot edit (using a tool like fiddler) a primary key hidden on the page thus changing what record they are editing when they post back the changes. You can hash for instance a CustomerId on the page into a hidden field and compare it upon post to make sure it matches what is in the model.

9. Visit me at tech ed in atlanta next month for my security talk : )

1. If you are using ELMAH, make sure that access to the elmah.axd handler is secured and not open. Otherwise you are giving potential hackers valuable information.

2. Ensure your web server is completely up to date with patches and automatically downloads / installs them when available from MS. Way too many sites fail to apply these and get pwned.

3. Ensure that you have zero dynamic sql in your site; or, at the absolute very least everything is handled via parameterized queries. Along these lines, make sure the database user credentials are locked down so that it only has the capabilities you actually need (hint: dbo level is NOT appropriate).

4. Ensure that every bit of data entry done by a user is properly escaped so that if it is displayed it does not result in cross site scripting issues. Basically, do a full security audit. If it's important enough, hire an outside firm to do this.

First thing comes to mind is Search engine optimization (SEO). Use the SEO Toolkit by MS to get started.

To add to the above, I always run the free tool Xenu ( http://home.snafu.de/tilman/xenulink.html#Description ) to check for broken links. Even if you use another tool, this provides an excellent double check.

Consider placing a web.config in each sub-folder with appropriate permissions. For example if all images are held in a folder \images then that folder should not be able to serve up an ASCX file, only files with a proper image extension.

Are you doing something user friendly when you get a page not found, such as re-directing the user to a search page? Custom error pages can go a long way to making the site more useable.

You may want to have a robots.txt file and a custom icon, items that are often overlooked.