Browse DevX
Sign up for e-mail newsletters from DevX


ASP.NET Security: 8 Ways to Avoid Attack : Page 5

Adding security to Web apps may not be great fun but it doesn't have to hard. You can easily ensure your apps meet today's best practices by applying eight principles for secure Web development.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

Tip 7—Do Some Housekeeping before You Deploy Your Web Application
Tracing ASP.NET Web applications is made easy by using the <trace> element in the Web.config file as well as the page directive. However, when you are ready to deploy the Web application, be sure to disable tracing at both the page level as well as the application level, which you can do with this code:

<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />

Also, turn off debug mode in Web.config file:

<compilation defaultLanguage="vb" debug="false" />

In the <customErrors> element in Web.config, remember to set the mode attribute to RemoteOnly:

<customErrors mode="RemoteOnly" />

The mode attribute has three possible values:
  • "On" always display custom (friendly) messages
  • "Off" always display detailed ASP.NET error information.
  • "RemoteOnly" displays custom (friendly) messages only to users not running on the local Web server. This setting is recommended for security purposes, so that you do not display application detail information to remote clients.
Last, but not least, remove the Solution and Project files from your deployment server; they are not mapped to the ISAPI filter and hence it is very easy for hackers to guess their name and access their content directly from the Web browser.

Tip 8—Use Sessions, but Not Cookie-less Sessions
If there is a need to persist sensitive information about a user, use Session objects. Session objects in ASP.NET use cookies to store the Session ID on the cookie, which gets passed to-and-fro between the client and the server. The Session objects containing sensitive information are stored on the server side. Hence, the only information exposed is the Session ID, and not the sensitive information.

ASP.NET supports cookie-less sessions, which might seem tempting since many users turn cookies off in their browsers. But don't go down that road: Using cookie-less sessions subjects you to session hijacking, where a hacker can simply use the URL that you are accessing and assume the browsing. The bottom line is, always avoid cookie-less sessions.

Wei-Meng Lee is a Microsoft .NET MVP and co-founder of Active Developer, a training company specializing in .NET and wireless technologies. He is a frequent speaker and author of numerous books on .NET, XML, and wireless technologies.
Thanks for your registration, follow us on our social networks to keep up-to-date