Click here to Skip to main content
Click here to Skip to main content

Secure Coding Guidelines

, 15 Feb 2006
Rate this:
Please Sign up or sign in to vote.
Some general guidelines to keep in mind when writing code
<!-- Article Starts - DO NOT ADD HTML/BODY START TAGS-->

Introduction

The following guide lines are extracted from the book "Pro ASP.NET 2.0 in C# 2005".
In terms of web applications,you should always keep the following guidelines in mind when writing code:

Never trust user input

Assume that every user is evil until you have proven the opposite.
Therefore, always strongly validate user input. Write your validation code in a way that it verifies input against only allowed values and not invalid values. (There are always more invalid values than you might be aware of at the time of writing the application.)

Never use string concatenation for creating SQL statements

Always use parameterized statements so that your application is not SQL injectable.


Never output data entered by a user directly on your web page before validating and encoding it:

The user might enter some HTML code fragments (for example, scripts) that lead to
cross-site scripting vulnerabilities. Therefore, always use HttpUtility.HtmlEncode() for escaping special characters such as < or > before outputting them on the page, or use a web control that performs this encoding automatically.

Never store sensitive data, business-critical data, or data that affects internal business rule decisions made by your application in hidden fields on your web page:

Hidden fields can be changed easily by just viewing the source of the web page, modifying it, and saving it to a file. Then an attacker simply needs to submit the locally saved, modified web page to the server. Browser plug-ins are available to make this approach as easy as writing an e-mail with.

Never store sensitive data or business-critical data in view state:

View state is just another hidden field on the page, and it can be decoded and viewed easily. If you use the EnableViewStateMAC=true setting for your page, view state will be signed with a message authentication code that is created based on a machine key of the web server’s machine.config. We recommend using EnableViewStateMAC=true as soon as you include data in your view state that should not be changed by users browsing your web page.

Enable SSL when using Basic authentication or ASP.NET forms authentication
Protect your cookies:

Always protect your authentication cookies when using forms authentication, and set timeouts as short as possible and only as long as necessary.

Use SSL:

In general, if your web application processes sensitive data, secure your whole website
using SSL. Don’t forget to protect even image directories or directories with other files not
managed by the application directly through SSL.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

HRiazi
Engineer
Iran (Islamic Republic Of) Iran (Islamic Republic Of)
I was born in Shiraz (Iran). The city of popular poets and flowers.
Studied more than 8 years in Canada and was at UNB (University of New Brunswick) for a year.
Graduated from Shiraz University in field of Computer Eng.
MBA - Management at Khazar University
Love to play Soccer and write C# code.

Comments and Discussions

 
GeneralThanks for your article PinmemberLe Van Long19-Mar-11 4:04 
GeneralMy vote of 2 PinmemberGJ.Coder26-Sep-09 22:58 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140709.1 | Last Updated 16 Feb 2006
Article Copyright 2006 by HRiazi
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid