Join Class web application security tips

Website security is the major concern for any online business, here are 10 tips that will help building secure web application using mvc framework! security tips

Before I start talking about what are the points we should consider about web application security, let's split the application into 3 major layers! (there could be more) user interface (GUI), code behind or business logic layers and data access layer, as a web application developer most of us familiar with these three layers and application building process, and we need to make sure every layer is secure enough for end user to consume the application. application security setup

You need to consider all following aspects of your web application setup in production server, here are some tasks that will help building secure application!

From UI to business layer to database access layer, application configuration, hosting environment and error handling, every small task matters.

  1. Basic UI Form security

    Designing a good user form is the first level of security we can build for the application, so here are some points we should always consider.

    Form input field design: make sure each field accept exact data that we want user should enter, don’t allow user to put additional character or data type.

    If its registration form then first ask for valid email or mobile number and send them otp (one time password), to make sure the user is genuine.

    Set max length, format of data wherever possible, don’t allow them to post unnecessary data.

    Disable "copy paste" if possible, let user type manually in each field.

  2. Always set form method to post method="post", never reveal posted data on query string (unless the form is search box or anything similar).

    Do not allow user to click submit or post button multiple times, try to disable the submit button immediately after first submit, learn how to prevent multiple form submit in MVC application.

  3. Implement anti forgery token to save the form from cross browser attack. the small one line implementation of anti forgery token really can help stopping cross browser attack, here is how you can implement anti forgery token in mvc form

  4. If you are still working on earlier web form application, try not to depend on viewstate always, especially for sensitive data, it can increase the chance of CSRF (cross browser attack), still if you want , try to set ViewStateUserKey.

    protected override OnInit(EventArgs e) {
        ViewStateUserKey = Session.SessionID;
  5. Configuration Security

    Never deploy application with compilation debug set to true debug="true" in your web.config file, always make sure you have set the value to false like below example.

        <compilation debug="false" targetFramework="4.5" />
  6. Always make sure tracing is turned off in config file, Learn more about tracing to know what type of information tracing can reveal.

    <trace enabled="true" />
  7. Never reveal your application error to end user, always have your error handling mechanism to capture the actual error then display user-friendly error page to application users, in web.config set the customErrors mode="On" , then redirect to some standard pages.

    <customErrors mode="On" defaultRedirect="~/error">
      <error statusCode="404" redirect="~/error/page404" />
      <error statusCode="500" redirect="~/error/page500" />

    Learn more about mvc exception handling real-time example.

  8. Never keep database configuration details in plain text in your web.config file, always use encrypted values, also make sure you use strong encryption keys, which is very different from any other application you deployed on same server.

    <add key="ServerName" value="207.547.125.13" />
    <add key="SchemaName" value="dbo" />
    <add key="DatabaseName" value="wbFHrLYy5gdfgd8wHLOabhVmkidr0w==" />
    <add key="UserId" value="qI9EbaAw3BJ3qgdfgfdts3oP1hCB3A==" />
    <add key="Password" value="Dg8trtyu7d6vANgGdfggbgVgHT/x3lcg==" />
  9. Database query security consideration

    If you are using any ORM like nhibernate or entity framework, then you are in better shape compare to usage, entity framework provides very effective SQL injection prevention mechanism, that does not mean is bad, can give better performance, but here are few points you should consider while writing sql queries.

    • Avoid writing open sql query in SqlCommand object, like insert into table (field1, field2) values (rValue1, rValue 2)
    • Use stored procedure instead of sql query, that will make everything parameterised, reduce the chance of sql injection.

  10. If you are using core framework for application building, make sure you use core indentity, identity uses PBKDF2 hashing function for passwords, you can set secure password policy like example below.

    Learn more about Identity in ASP.NET Core.

    services.Configure<IdentityOptions>(options =>
        // Password settings
        options.Password.RequireDigit = true;
        options.Password.RequiredLength = 10;
        options.Password.RequireNonAlphanumeric = true;
        options.Password.RequireUppercase = true;
        options.Password.RequireLowercase = true;
        options.Password.RequiredUniqueChars = 6;
        options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(20);
        options.Lockout.MaxFailedAccessAttempts = 3;
        options.SignIn.RequireConfirmedEmail = true;
        options.User.RequireUniqueEmail = true;

    Database performance is one of the most important aspects to be considered in application performance tuning, here is how you can improve sql database performance and query optimization.

You may be interested to read following posts:

Build secure application
Aspnet MVC Training MVC tutorials, learn model view controllers with c#, develop database driven web application using MVC framework.
Hire .Net Developer
Free Tutorials
ASP.NET MVC Interview Questions Answers
Asp.Net MVC C# Examples | Join Asp.Net MVC Course | Core Tutorial