Application Categories Considerations

User input is validated for type, length, format, and range. Input is checked for known valid and safe data and then for malicious, dangerous data.

String form field input is validated using regular expressions (for example, by the RegularExpressionValidator control.)

Regular HTML controls, query strings, cookies, and other forms of input are validated using the Regex class and/or your custom validation code.

The RequiredFieldValidator control is used where data must be entered.

Range checks in server controls are checked by RangeValidator controls.

Free form input is sanitized to clean malicious data.

Input file names are well formed and are verifiably valid within the application context.

Output that includes input is encoded with HtmlEncode and UrlEncode.

MapPath restricts cross-application mapping where appropriate.

Character encoding is set by the server (ISO-8859-1 is recommended).

The ASP.NET version 1.1 validateRequest option is enabled.

URLScan is installed on the Web server.

The HttpOnly cookie option is used for defense in depth to help prevent cross-site scripting. (This applies to Internet Explorer 6.1 or later.)

SQL parameters are used in data access code to validate length and type of data and to help prevent SQL injection.

Site is partitioned to restricted areas and public areas.

Absolute URLs are used for navigation where the site is partitioned with secure and non-secure folders.

Secure Sockets Layer (SSL) is used to protect credentials and authentication cookies.

The slidingExpiration attribute is set to "false" and limited authentication cookie time-outs are used where the cookie is not protected by using SSL.

The forms authentication cookie is restricted to HTTPS connections by using the requireSSL attribute or the Secure cookie property.

The authentication cookie is encrypted and integrity checked (protection="All").

Authentication cookies are not persisted .

Application cookies have unique path / name combinations.

Personalization cookies are separate from authentication cookies.

Passwords are not stored directly in the user store; password digests with salt are stored instead.

The impersonation credentials (if using a fixed identity) are encrypted in the configuration file by using Aspnet_setreg.exe.

Strong password policies are implemented for authentication.

The <credentials> element is not used inside <forms> element for Forms authentication (use it for testing only).

URL authorization is used for page and directory access control.

File authorization is used with Windows authentication.

Principal permission demands are used to secure access to classes and members .

Explicit role checks are used if fine-grained authorization is required.

Configuration file retrieval is blocked by using HttpForbiddenHandler .

A least-privileged account is used to run ASP.NET.

Custom account credentials (if used) are encrypted on the <processModel> element by using Aspnet_setreg.exe.

To enforce machine-wide policy, Web.config settings are locked by using allowOveride="false" in Machine.config.

SSL is used to protect sensitive data on the wire.

Sensitive data is not passed across pages; it is maintained using server-side state management.

Sensitive data is not stored in cookies, hidden form fields, or query strings.

Do not cache sensitive data. Output caching is off by default.

Plain text passwords are avoided in Web.config and Machine.config files. (Aspnet_setreg.exe is used to encrypt credentials.)

The session cookie is protected using SSL on all pages that require authenticated access.

The session state service is disabled if not used.

The session state service (if used) runs using a least-privileged account.

Windows authentication is used to connect to Microsoft SQL Server state database.

Access to state data in the SQL Server is restricted.

Connection strings are encrypted by using Aspnet_setreg.exe.

The communication channel to state store is encrypted (IPSec or SSL).

View state is protected using message authentication codes (MACs).

Query strings with server secrets are hashed .

All input parameters are validated.

Page.ViewStateUserKey is used to counter one-click attacks.

Structured exception handling is used.

Exception details are logged on the server.

Generic error pages with harmless messages are returned to the client.

Page-level or application-level error handlers are implemented.

The application distinguishes between errors and exception conditions.

The ASP.NET process is configured to allow new event sources to be created at runtime, or application event sources to be created at installation time.