ASP.NET is a web application framework responsible for creating some of the most fluid and dynamic websites, applications, and services. According to ASafaWeb, “67% of ASP.NET websites have serious configuration related security vulnerabilities.” When it comes to securing these Microsoft developed sites and applications, it is essential to grasp the key security features of ASP.NET.
As a certified Microsoft Partner, Clarity’s developers and expertise can help counter threats, protect your site, and keep you ahead of the curve. There are a multitude of principles and practices to foster a protected ASP.NET experience. Below, we share how minimizing application privileges, shielding malicious user input, and securing cookies can keep your client environment safe and sound.
Minimize Application Privileges
Running applications with the least amount of privileges is one of the fastest and easiest ways to avoid malicious users. As a general rule, it’s best to avoid running your application with the identity of a system user and/or administrator. Utilizing the least permissive setting on permissions or Access Control Lists, like setting your files to be read-only, help confirm system safety. Lastly, storing your web application files below the application root deters any culprit from getting access to the root of your server.
Shield Malicious User Input
Most ASP.NET applications and websites have a two-way interface between the client and application/site itself. As a rule of thumb, never assume the input from users is safe. To help guard against malicious input, please follow the five guidelines below:
- Never store unfiltered user input in a database
- If you choose to accept some HTML from a user, then filter it manually
- Before displaying unsecure information, encode HTML into display strings
- Do not assume that information you get from the HTTP request header is safe
- Please do not store sensitive information, i.e. passwords, in a place accessible from the browser
Web cookies are small pieces of data sent from your site and stored in a user’s web browser while they peruse the site. Historically, cookies are a useful way to keep user-specific information available for business intelligence. Setting expiration dates on cookies to the shortest practical time, and avoiding permanent cookies altogether will help eliminate malicious use. At Clarity, we strongly advise you to not store any critical information in cookies. Instead, keep a reference in the cookie to a location on the serer where the information is located.
Clarity has spent several years developing successful ASP.NET solutions for an array of exceptional clients. Whether it’s an application, website, or interactive service, we help safely and securely drive your business. Please contact us to learn how we can positively impact your organization. Thank you.