Securing an ASP.Net MVC Site

Question

As a relative newcomer to both web and MVC, I am looking for a good summary of security best practices that I should implement.

The site will be public facing with "moderately sensitive data" (meaning we can't get sued, but probably wouldn't make many friends if the data got out!) and will have the following security steps taken: a: Forms/membership authentication and authorization b: Parameterized queries to prevent sql injection. c: Automatic timeout with x min of inactivity c: SSL for client to server encryption

What else do you recommend?

*Securing IIS and the network don't fall under my domain, so I'm more interested in the things I need to do to the software.

Answer 1

• If you are using cookies to recognize users, be sure to use an arbitrary token (such as a GUID) to store on the client for identification. I've seen too many websites that store my email address or username in my cookie... just have to change it to another!

• Write your software so that it can run under medium trust.

Answer 2

Make sure you prevent out of order requests. Ensure client is authenticated before allowing to see sensitive data, or in some cases, make sure the client has come through the correct channel, before allowing a data manipulation. For example, only allow adding an item to your cart if the request came from the product details page. If you don't check, any one can mess around with the action. The URL would be like http://server/cart/add/XYZ123 and anyone could just tweak the 'id' parameter.

Answer 3

If you are new to web development you should be aware of cross site scripting (XSS). You can use Http.Encode helper method to protect against this in ASP.NET MVC.