Thursday, January 10, 2008

.NET Security Tips

.NET Security Tips
# Keep “Persist Security Info” as false in the connection string.
# Remove the authentication cookie in Session_End event or application specific logout event.
# Security decisions should not rely only on client-side validations – they should be verified on the server side too!
# Hashed password format should be specified in provider configuration.
# The website should be partitioned into public access areas and restricted areas that require authentication access. Navigation between these areas should not flow sensitive credentials information.
# Protect your website against Cross-Site Scripting or XSS attacks
# Dynamic queries that accept user input should be used only if stored procedures cannot be used. Even these queries should use parameters.
# Ensure that utilizing the “View source” option does not divulge any sensitive information.
# Set mode attribute in customErrors to On to prevent displaying detailed error messages to the caller.
# Ensure that utilizing the “View source” option does not divulge any sensitive information.