Secure Coding Guidelines

Introduction

The following guide lines are extracted from the book "Pro ASP.NET 2.0 in C# 2005".
In terms of web applications,you should always keep the following guidelines in mind when writing code:

Never trust user input

Assume that every user is evil until you have proven the opposite.
Therefore, always strongly validate user input. Write your validation code in a way that it verifies input against only allowed values and not invalid values. (There are always more invalid values than you might be aware of at the time of writing the application.)

Never use string concatenation for creating SQL statements

Always use parameterized statements so that your application is not SQL injectable.

Never output data entered by a user directly on your web page before validating and encoding it:

The user might enter some HTML code fragments (for example, scripts) that lead to
cross-site scripting vulnerabilities. Therefore, always use HttpUtility.HtmlEncode() for escaping special characters such as < or > before outputting them on the page, or use a web control that performs this encoding automatically.

Never store sensitive data, business-critical data, or data that affects internal business rule decisions made by your application in hidden fields on your web page:

Hidden fields can be changed easily by just viewing the source of the web page, modifying it, and saving it to a file. Then an attacker simply needs to submit the locally saved, modified web page to the server. Browser plug-ins are available to make this approach as easy as writing an e-mail with.

Never store sensitive data or business-critical data in view state:

View state is just another hidden field on the page, and it can be decoded and viewed easily. If you use the EnableViewStateMAC=true setting for your page, view state will be signed with a message authentication code that is created based on a machine key of the web server’s machine.config. We recommend using EnableViewStateMAC=true as soon as you include data in your view state that should not be changed by users browsing your web page.

Enable SSL when using Basic authentication or ASP.NET forms authentication
Protect your cookies:

Always protect your authentication cookies when using forms authentication, and set timeouts as short as possible and only as long as necessary.

Use SSL:

In general, if your web application processes sensitive data, secure your whole website
using SSL. Don’t forget to protect even image directories or directories with other files not
managed by the application directly through SSL.