Defensive techniques for ASP.MVC for internet facing site

Question

I am working on my first asp MVC project that will ultimately end up on a publicly accessible web server (I have worked on some internal apps in MVC). What techniques, practices should I be thinking about (specific to MVC or otherwise) to improve security.

Off the top of my head obviously there is the AcceptVerb attribute for actions and Validation what else?

score 1 · Answer 1 · answered Dec 03 '09 at 15:19

1

Anti Forgery Token :)

answered Dec 03 '09 at 15:19

brianng

5,790
1
32
23

Ah yes, had a fun time with this with JQuery ajax posts. See my other post http://stackoverflow.com/questions/1786500/using-validateantiforgerytoken-with-ajax-actionlink – Michael Gattuso Dec 03 '09 at 15:24

score 1 · Answer 2 · answered Dec 03 '09 at 15:20

1

A couple of points:

Encode every user input
Use anti forgery tokens
Use POST verbs for every request that modifies state

answered Dec 03 '09 at 15:20

Darin Dimitrov

1,023,142
271
3,287
2,928

score 1 · Accepted Answer · answered Dec 04 '09 at 18:02

The Windows Live team has written a white-paper describing lessons learned using ASP.NET MVC on certain Windows Live properties. They do a lot of security analysis and present their security tips here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7606f801-70c5-49ca-a18c-91d4ed725833&displaylang=en

Defensive techniques for ASP.MVC for internet facing site

3 Answers3