Click here to Skip to main content
13,773,397 members
Click here to Skip to main content
Add your own
alternative version

Tagged as


19 bookmarked
Posted 22 Jul 2016
Licenced CPOL

ASP.NET Don'ts and Dos

Rate this:
Please Sign up or sign in to vote.
This post highlights the Dos and the Don’ts in general regarding ASP.NET.


Some folks may keep falling into a trap and are unaware of what they are doing. This post highlights the Dos and the Don’ts in general regarding ASP.NET. The majority of the items listed are taken from the ASP.NET team recommendations. Though this may not be a complete checklist, it covers some of the most common “gotchas” folks run into.

If you know other tips about the Dos and Don’ts in ASP.NET in general, feel free to drop a comment so I can update the list. :)

Control Adapters

If some of you are still using Control Adapters, especially those WebForms folks - you should avoid it, as much as possible.

  • Avoid: Control Adapters, as these were created to support mobile controls rendering different markups for different devices.

  • Prefer: CSS media queries, responsive design and mobile specific views.

Style Properties on Controls

  • Try to Avoid: The four thousand specific control style properties, e.g. EditItemTemplate-AlternateItem-Font-ForeColor-SomeStyle-Blah-Blah :S
  • Using inline CSS styles, e.g. style=“color:yellow;text-align:center;”
  • Prefer: CSS stylesheets. You can roll your own or use Bootstrap or a combination of your own CSS.

JavaScript Frameworks and AjaxControlToolkit

  • Try to Avoid: Mixing your jQuery code, or other JS frameworks code with WebForm's AjaxControlToolkit controls to avoid functionality issues.
  • Prefer: Stick to the specific control libraries.

UpdatePanel Control

  • Do Not: Over use it (Think about performance and maintainability)
  • Do: Use it, when necessary and if it makes sense to use it.
  • Try to Avoid: It doesn’t help you to become a better web developer.
  • Prefer: AJAX e.g jQuery AJAX can be used to do asynchronous updates.

Page and Control Callbacks

  • Try to Avoid: Page callbacks or control callbacks.
  • Prefer: Anything else, e.g. Page Method, Web Service, AJAX, Web API.

Scripts and CSS Files

  • Do: Minify, bundle your CSS and Script files when deployed on production.
  • Try to Avoid: Deploying unminified scripts and CSS when you can minify them.

Static Script References

  • Try to Avoid: Referencing local script references (e.g jQuery)
  • Prefer: Use CDN (Content Delivery Network), when referencing is done on static files
  • But Always: Do a fallback local reference, in case CDN fails

Capability Detection

  • Try to Avoid: BrowserCaps, as it has a history of breaking as new browser versions are released
  • Prefer: Client-side feature detection and lightup, such as via Modernizr.

SQL Queries

  • Do Not: Append input values directly into your SQL statement because it can lead you to SQL Injection attacks. It’s a big NO NO!
  • Do:

    (1) Use parameter queries
    (2) Stored Procedures
    (3) ORM e.g. Entity Framework, NHibernate etc.

This article highlights the prevention of SQL Injection. Protect Your Data: Prevent SQL Injection

Displaying of Data

  • Do Not: Display huge amounts of data in your page as it can affect the performance of your App, and it is not user-friendly.
  • Do: Limit the amount of data to be displayed.

    (1) Filter out items and load the associated data.
    (2) Apply paging (e.g using custom paging with LINQ or using SQL paging).
    (3) Apply data caching (but be careful: use it only where it makes sense).

Request Validation

  • Do Not: Depend on the request validation to protect your site against XSS attacks.
  • Do:

    (1) Validate well-formedness of the data 
             "Is this user-submitted value, a valid System.Uri whose scheme is http: or https:?"
    (2) Encode data on the way out.
             CSHTML: @foo ? ASPX: <%: foo %>
    (3) Don’t forget about JavaScriptStringEncode, UrlEncode, etc.

Cookieless Forms Auth& Session

  • Do Not: Enable cookieless forms authentication or session, as they could make your users victim to malicious attacks.
  • Do:

    (1) Enable "require cookies" for these features.
    (2) Consider using only secure (SSL) cookies for the sites serving sensitive information.


For the developers who use ASP.NET runtime < 4.5.2

  • Do Not: Set EnableViewStateMac = false
  • Not Ever: Not even on a single page.

    "But I’m not using ViewState!" is not a valid excuse.
  • Do: Tease Microsoft for even allowing this as an option in the first place. :D

    Well MS already forbids it when they released ASP.NET 4.5.2.

Medium Trust

  • Do Not: Depend on Medium Trust (or any other <trust> level) as a security boundary.
  • Do:

    (1) Place untrusted Applications into their own Application pools.
    (2) Run each Application pool under its own unique identity.
    (3) You can follow some guidance here:


  • Do Not: Use <appSettings> to disable Microsoft security fixes for any lengthy time in production.
  • Do: Use Microsoft security-sensitive <appSettings>config as temporary compatibility that shims while rolling out Server upgrades or patches.

Consult the list here.


  • Do Not: Use UrlPathEncode to encode the arbitrary user-provided strings.
  • Do:

    (1) Sanitize inputs instead, checking submitted URL for well-formation.
    (2) Use UrlEncode to encode the user input meant to appear as a query string parameter in the URL.

PreSendRequestHeaders & PreSendRequestContent

  • Try to Avoid: Registering for these events from within managed IHttpModule instances.
  • Prefer: Using native IIS modules, if you need to hook these asynchronous pipeline events.

Asynchronous Page Events

  • Try to Avoid: Writing async void methods [like Page_Load] for page life-cycle events.
  • Prefer: Using Page.RegisterAsyncTask() instead, if you need to register asynchronous work.
  • Do: Set <httpruntimetargetframework=“4.5”> if using Task.</httpruntimetargetframework=“4.5”>

Response.Redirect & End

Be Aware: Reponse.Redirect(String) calls Response.End(), which aborts the current thread in synchronous requests and halts the code execution.

For asynchronous handlers, Response.End() does not abort the current thread, so code execution continues.

If you need to redirect the response, use the method appropriate for the framework you’re using. For example, in MVC, return a RedirectResult instead of calling Response.Redirect.

EnableViewState & ViewStateMode

  • Try to Avoid: Using EnableViewState.
  • Prefer:

    (1) Set ViewStateMode="Disabled" at page directive level.
    (2) Set ViewStateMode="Enabled" only on the controls that require state.


Be Aware: Replaced by the UniversalProviders and ASP.NET identity which works with all the databases and the Entity Framework supports including SQL, Azure SQL, SQL Compact, MySQL and more.

Long-Running Request

  • Try to Avoid: Session, as ASP.NET will forcibly release the session object lock at a potentially inopportune time Blocking I/O operations.
  • Prefer: WebSockets, if possible, has much lower per-request memory overhead.

Real-Time Updates

  • Try to Avoid: The traditional way of pinging the Server for the updates with AJAX.
  • Prefer: ASP.NET SignalR. It provides a simple and clean API that allows you to create real-time web apps. HTML5 is also worth trying.


  • Do Not: Stick to use Web Forms.
  • Do

    (1) Learn other technologies that ASP.NET offers such as MVC, Web API, SignalR and ASP.NET Mobile. 
        Also check out the new ASP.NET Core.
    (2) Learn JavaScript frameworks (e.g Angular, Knockout, React etc..).
    (3) Keep up to date with what’s the latest and know the new features it offers.



This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Vincent Maverick Durano
Software Developer (Senior)
United States United States
A code monkey who loves to drink beer, play guitar and listen to music.

My exploration into programming began at the age of 15;Turbo PASCAL, C, C++, JAVA, VB6, Action Scripts and a variety of other equally obscure acronyms, mainly as a hobby. After several detours, I am here today on the VB.NET to C# channel. I now work on ASP.NET/Core + C# + MSSQL/Postgres + EF + Web API + JavaScripts + AJAX + Xamarin, which go together like coffee crumble ice cream.

9-time Microsoft MVP, 3-time C# Corner MVP, CodeProject MVP, Microsoft Influencer, Dzone MVB and a regular contributor at CodeAsp.Net in which I also moderate, C# Corner, AspSnippets, Xamarin but more often at the official Microsoft ASP.NET community site where I became one of the All-Time Top Answerer with ALL-STAR recognition level (the highest attainable level).

My main interests include technologies, travel, beaches, mountains, paintings, arts, supernatural, ghosts, angels, vampires, mythology, mysteries, para-sciences , scifi ,music, guitar, cars and motorbikes.

You may also be interested in...

Comments and Discussions

GeneralMy vote of 5 Pin
MohamedKamalPharm7-Aug-16 0:33
memberMohamedKamalPharm7-Aug-16 0:33 
GeneralRe: My vote of 5 Pin
Vincent Maverick Durano7-Aug-16 5:17
professionalVincent Maverick Durano7-Aug-16 5:17 
BugMissing section header Pin
E. Anderson22-Jul-16 10:50
memberE. Anderson22-Jul-16 10:50 
GeneralRe: Missing section header Pin
Vincent Maverick Durano22-Jul-16 15:26
professionalVincent Maverick Durano22-Jul-16 15:26 
GeneralRe: Missing section header Pin
Vincent Maverick Durano23-Jul-16 13:49
professionalVincent Maverick Durano23-Jul-16 13:49 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Cookies | Terms of Use | Mobile
Web06 | 2.8.181119.1 | Last Updated 24 Jul 2016
Article Copyright 2016 by Vincent Maverick Durano
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid