Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.NET Security Best Practices [closed]

Tags:

security

asp.net

What are others ASP.NET Security Best Practices?

So far identified are listed here:

  • Always generate new encryption keys and admin passwords whenever you are moving an application to production.

  • Never store passwords directly or in encrypted form. Always stored one way hashed passwords.

  • Always store connection strings in tag of Web.config and encrypt it in configuration section by using protected configuration providers (RSA or DPAPI). See example here

  • Use user ID with least-privilege to connect to SQL server or the database you are using. E.g if you are only executing stored procedures from a certain module of application then you must create a user ID which has permissions to execute only.

  • Use PrincipalPermission if you want to use role-base security on pages.

    [PrincipalPermission(SecurityAction.Demand, Role="Admin")]  
public class AdminOnlyPage : BasePageClass  
{  
  // ...  
}

  • Always use parameters to prevent SQL Injection in the SQL queries.

    1. Consider installing URLScan on your IIS servers to protect against SQL Injection. Also, for protecting against XSS attacks. You can use MSFT's AntiXSS library instead of the built to encode output instead of the built in HtmlEncode found in HttpServerUtility.

  • Always keep on customErrors in web config to make you errors/exceptions private

    <customErrors mode="On" defaultRedirect="MyErrorPage.htm" />

  • In web applications, always validate the user's inputs for html tags or any scripts.

  • Never store sensitive information, like passwords in cookies.

  • Don't display system error messages, stack traces etc, in case of exception.
like image 428
Ramesh Soni Avatar asked Nov 17 '08 09:11

Ramesh Soni

People also ask

Is ASP.NET Core secure?

ASP.NET Core and EF contain features that help you secure your apps and prevent security breaches. The following list of links takes you to documentation detailing techniques to avoid the most common security vulnerabilities in web apps: Cross-Site Scripting (XSS) attacks.

What is IHttpContextAccessor?

It stores the request and response information, such as the properties of request, request-related services, and any data to/from the request or errors, if there are any. ASP.NET Core applications access the HTTPContext through the IHttpContextAccessor interface. The HttpContextAccessor class implements it.

Is .NET Core faster than node JS?

NET Core has an easier time working with CPU-intensive tasks and rendering static pages since the in-built IIS server kernel caching makes this process very straightforward. Therefore, . NET core vs node. js performance offers different advantages for various projects.

Is .NET single threaded?

By default, a . NET program is started with a single thread, often called the primary thread. However, it can create additional threads to execute code in parallel or concurrently with the primary thread.

4 Answers

I found Microsoft's Developer Highway Code to be a useful security checklist.

like image 122
Phil Jenkins Avatar answered Oct 14 '22 16:10

Phil Jenkins

Microsoft has a lot to say about this subject:

  • ASP.NET Web Application Security.
  • Improving Web Application Security (an entire book dedicated to the subject)
like image 38
Jonas Kongslund Avatar answered Oct 14 '22 18:10

Jonas Kongslund
  1. Never store sensitive information like passwords in cookies.
  2. Don't display system error messages, stack traces etc. in case of exception.
like image 4
Programmer Avatar answered Oct 14 '22 18:10

Programmer

Check out the new Security Runtime Engine (beta came out on November 14):

http://blogs.msdn.com/cisg/archive/2008/10/24/a-sneak-peak-at-the-security-runtime-engine.aspx

http://blogs.msdn.com/cisg/archive/2008/11/13/an-update-on-some-upcoming-free-tools.aspx

This should replace the current Anti-XSS library.

Anthony :-) www.codersbarn.com

like image 1
IrishChieftain Avatar answered Oct 14 '22 17:10

IrishChieftain
Sign in to Comment

Related questions

Using DateTime in a For loop, incrementing date Isn't working
How to manually stop kestrel server
How do I maintain ModelState errors when using RedirectToAction?
Adding reference to another project from visual studio code
How to detect/track postback in javascript?
Why can't I assign null to decimal with ternary operator?
Visual Studio Development Server using wrong port
Visual Studio Expand/Collapse Button Missing In Aspx File
How to restrict folder access in asp.net
How to do a ASP.NET MVC Ajax form post with multipart/form-data?
Password REGEX with min 6 chars, at least one letter and one number and may contain special characters
How to include Javascript file in Asp.Net page
Alternative for "$(document).ready" function
Verify if file exists or not in C#
Problem with Substring() - ArgumentOutOfRangeException
Hows does one prevent passwords and other sensitive information from appearing in an ASP.NET dump?
How to download a file behind a semi-broken javascript asp function with R
Does an IIS 7.5 web app with windows authentication require end users to have file permissions?
ASP.NET Forms Authentication failed for the request. Reason: The ticket supplied has expired
How to get TypeScript working with Visual Studio 2013

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!